Rolebased Access Control RBAC - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

Rolebased Access Control RBAC

Description:

Case #1: 5 users 5 tables = 10 grants. Case #2: 100 users 100 tables = 200 grants ... clinical medicine, environmental research, air traffic control, and avionics. ... – PowerPoint PPT presentation

Number of Views:57
Avg rating:3.0/5.0
Slides: 24
Provided by: aarone2
Category:

less

Transcript and Presenter's Notes

Title: Rolebased Access Control RBAC


1
Role-based Access Control (RBAC)
  • A. A. Elliott
  • October 1st, 2007

2
Presentation Summary
  • Introduction (to RBAC)
  • Motivation (for RBAC)
  • Literature Review
  • Discussion Points
  • Questions

3
Introduction (1 of 3)
  • Authentication

4
Introduction (2 of 3)
  • Authorization

5
Introduction (3 of 3)
  • How is access authorized
  • Mandatory Access Control (MAC)
  • Discretionary Access Control (DAC)
  • Role-based Access Control (RBAC)
  • Why RBAC?

6
Motivation (1 of 3)
Case 1 5 users 5 tables 25 grants Case 2
100 users 100 tables 10,000 grants
Explicit Object Grants
Role
Case 1 5 users 5 tables 10 grants Case 2
100 users 100 tables 200 grants
Role-based Access Control (RBAC)
7
Motivation (2 of 3)
  • Business and functional roles

Engineering Department
Director of Engineering
Manage Money
Manage People
8
Motivation (3 or 3)
  • An appealing solution use RBAC to manage RBAC gt
    delegation

Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
9
Literature (1 of 6)
  • RBAC formally introduced in 92
  • D. Ferraiolo R. Kuhn
  • A family of RBAC models 96
  • R. Sandu, E. Coyne, H. Feinstein, C. Youman
  • NIST Model proposed standard 00
  • R. Sandu, D. Ferraiolo and R. Kuhn
  • ANSI INCITS 359-2004

10
Literature (2 of 6)
  • October 1992 - D. Ferraiolo R. Kuhn
  • Recently, considerable attention has been paid
    to researching and addressing the security needs
    of commercial and civilian government
    organizations. It is apparent that significant
    and broad sweeping security requirements exist
    outside the Department of Defense.
  • Within industry and civilian government,
    integrity deals with broader issues of security
    then confidentiality. Integrity is particularly
    relevant to such applications as funds transfer,
    clinical medicine, environmental research, air
    traffic control, and avionics.

11
Literature (3 of 6)
  • February 1996 - R. Sandhu, E.J. Coyne, H.L.
    Feinstein and C.E. Youman
  • Although RBACs usefulness is widely
    acknowledged, there is little agreement on what
    RBAC means. As a result, RBAC is open to
    interpretation by researchers and system
    developers
  • RBAC0 the minimum requirement for an RBAC
    system
  • RBAC1 adds role hierarchies includes RBAC0
  • RBAC2 adds constraints includes RBAC0
  • RBAC3 RBAC1 plus RBAC2 includes RBAC0

12
Literature (4 of 6)
  • July 2000 - R. Sandu, D. Ferraiolo and R. Kuhn
  • This paper describes a unified model for
    role-based access control (RBAC). RBAC is a
    proven technology for large-scale authorization.
  • RBAC is a rich and open-ended technology which
    is evolving as users, researchers and vendors
    gain experience with it.

13
Literature (5 of 6)
  • public reviews 2 iterations including
    substantive changes (over 4 years)
  • February 3rd, 2004 ANSI INCITS 359-2004
  • This standard describes RBAC features that have
    gained acceptance in the commercial market
    place.
  • It is intended for 1) software engineers and
    product development managers who design products
    incorporating access control and 2) managers and
    procurement officials who seek to acquire
    computer security products with features that
    provide access control capabilities.

14
Literature (6 of 6)
  • Lets recap
  • In 1992 RBAC formally introduced
  • 12 years
  • In 2004 an ANSI standard!
  • 2008? Whats next?
  • Lets discuss some of the issues

15
Discussion (1 of 7)
  • Proliferation of user accounts roles
  • OpenLDAP (e.g. mail, calendar directory
    services)
  • Active Directory (e.g. print services)
  • Oracle Internet Directory (e.g. thin client
    applications)
  • fat database account (e.g. desktop
    applications)
  • Administration of roles gt ad hoc or engineered

16
Discussion (2 of 7)
Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
17
Discussion (3 of 7)
Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
Role
18
Discussion (4 of 7)
  • Least privilege and activity based authorization
  • Static and Dynamic Separation of Duty

19
Discussion (5 of 7)
  • Holding vendors accountable!
  • e.g. 1 software with one role super
  • e.g. 2 software with user credentials stored
    unencrypted in a database table

20
Discussion (6 of 7)
  • Oracle Buys Enterprise Role Management Leader
    Bridgestream (SEPT 5, 2007) http//www.oracle.com/
    corporate/press/2007_sep/bridgestream.html?rssidr
    ss_ocom_pr
  • http//www.bridgestream.com/flash_docs.php
  • Increased Complexity Means Higher Vulnerability
  • While regulations continue to evolve and
    multiply, the IT environment at most enterprises
    is growing more complex. The IT department
    typically has hundreds of applications under
    management.

21
Discussion (7 of 7)
  • Many individuals who have access to documents
    and resources SHOULDNT have that access
  • Most user provisioning is done manually and
    cant scale.
  • People are not de-provisioned on time.
  • There is no simple way to obtain evidence that
    internal controls have in fact been followed.

22
Primary References
  • Ferraiolo, D. and Kuhn, R., Role-based access
    controls, In proceedings of 15th NIST-NCSC
    National Computer Security Conference, Baltimore,
    Maryland, United States, October 1992, pp.
    554-563.
  • R. Sandhu, E.J. Coyne, H.L. Feinstein and C.E.
    Youman, Role-based access control models, IEEE
    Computer, February 1996, Volume 29, Number 2, pp
    38-47.
  • R. Sandhu, D. Ferraiolo, R. Kuhn. The NIST model
    for role-based access control Towards a unified
    standard, In proceedings of 5th ACM Workshop on
    Role-Based Access Control, Berlin, Germany, July
    2000, pp. 47-63.
  • ANSI INCITS 359-2004, February 3, 2004.

23
Questions?
  • Thank you!!
Write a Comment
User Comments (0)
About PowerShow.com