A Conceptual Framework for Group-Centric Secure Information Sharing Ram Krishnan (George Mason University) Ravi Sandhu, Jianwei Niu, William Winsborough (University of Texas at San Antonio) ASIACCS 2009, Sydney, Australia
Jan 17, 2018
A Conceptual Framework forGroup-Centric Secure Information Sharing
Ram Krishnan (George Mason University)Ravi Sandhu, Jianwei Niu, William Winsborough
(University of Texas at San Antonio)ASIACCS 2009, Sydney, Australia
Secure Information Sharing (SIS)
• A fundamental problem in cyber security– Share but protect
• Current approaches not satisfactory• Classic models (DAC/MAC/RBAC) do not work• Recent approaches
• Proprietary systems for Enterprise Rights Management• Many solutions: IBM, CA, Oracle, Sun, Authentica, etc.• Interoperability is a major issue
• Many languages have been standardized• XrML, ODRL, XACML, etc.
• Primarily, dissemination or object centric
2
Dissemination Centric Sharing
• Attach attributes and policies to objects– Objects are associated with sticky policies– XrML, ODRL, XACML, etc. provide sticky policies
3
Alice Bob Charlie Ravi Shashi
Attribute + Policy Cloud
Object
Attribute + Policy Cloud
Object
Attribute + Policy Cloud
Object
Attribute + Policy Cloud
Object
Dissemination Chain with Sticky Policies on Objects
Attribute Cloud
Attribute Cloud
Attribute Cloud
Attribute Cloud
Attribute Cloud
Group Centric Sharing (g-SIS)• Advocates bringing users & objects together in a group
– In practice, co-exists with dissemination centric sharing
4
NeverGroup
Subject Leave
Current GroupSubject
PastGroup
Subject
Join
Join
NeverGroupObject Remove
Current GroupObject
PastGroupObject
Add
Add
• Two useful metaphors– Secure Meeting/Document Room
• Users’ access may depend on their participation period• E.g. Program committee meeting, Collaborative Product Development, Merger and
Acquisition, etc.
– Subscription Model• Access to content may depend on when the subscription began• E.g. Magazine Subscription, Secure Multicast, etc.
Core g-SIS Properties
Join Add
Leave Authz
Add Join
Remove Authz
1. Provenance: Authorization can only originate during a simultaneous period of membership
2. Bounded Authorization: Authorization cannot grow during non-membership periods
3. Persistence: Authorization cannot change if no group event occurs
g-SIS Operation Semantics
6
6
GROUP
Authz (S,O,R)?
Join Leave
Add Remove
Subjects
Objects
GROUP
Authz (S,O,R)?
Strict Join
Strict Leave
Liberal Add
Liberal Remove
LiberalJoin
LiberalLeave
StrictAdd Strict
Remove
Subjects
Objects
Operation Semantics (Continued)
7
• Strict Join (SJ): Only access objects added after Join time• Liberal Join (LJ): Also access objects added before Join time• Strict Leave (SL): Lose access to all objects• Liberal Leave (LL): Retain authorizations held at Leave time
Operation Semantics (Continued)
8
• Strict Add (SA): Only existing subjects at Add time are authorized
• Liberal Add (LA): No such restrictions• Strict Remove (SR): All subjects lose access• Liberal Remove (LR): Subjects who had authorization
at Remove time can retain access
Family of g-SIS Models
9
Most Restrictiveg-SIS Specification:
Traditional Groups: <LJ, SL, LA, SR>Secure Multicast: <SJ, LL, LA, *>
Conclusion & Future Work
• Group-centric Vs Dissemination-centric• Focus on group operation semantics• Lattice of g-SIS models• Ongoing Work
– Extension to other operations such as write, etc.– Multiple groups
• Investigate information flow• Compare with Lattice Based Access Control models
– Attribute Based Access Control in g-SIS
10
Backup
12
Presentation Outline
• Secure Information Sharing (SIS)– Dissemination Vs Group Centric
• Group Centric SIS (g-SIS)• g-SIS Core Properties• g-SIS Operation Semantics• Family of g-SIS Models• Usage Scenarios• Conclusions
13
g-SIS (continued)
NeverGroupSubject Leave
Current GroupSubject
PastGroupSubject
Join
Join
NeverGroupObject Remove
Current GroupObject
PastGroupObject
Add
Add
Subject Membership States
Object Membership States
Operation Semantics (Continued)
15
Re-visiting Metaphors
• Program Committee Meeting– Committee members initially enter room with LJ– Exit room with LL– Re-admitted with SJ if no access allowed to
conversations during periods of absence• LJ, on the other hand, will allow access• Objects added with SA are accessible to existing
members in the room
16