Page 1
Cyber-Identity and Authorizationin an Uncertain World
Ravi SandhuLaboratory for Information Security Technology
www.list.gmu.edu
Department of Information and Software Engineering
School of Information Technology and Engineering
George Mason University
[email protected]
703-993-1659
Page 2
Laboratory for Information Security Technology
2
What is Cyber-Security?
• Fighting fires– Keeping the bad guys out– Firewalls, Intrusion Detection, Virus scans,
Spam filters, Content filters
• Increasing productivity– Letting the good guys in– Cyber-Identity and Authorization
STOP
GO
Page 3
Laboratory for Information Security Technology
3
What is Cyber-Security?
EASY SECURE
PRACTICAL
Page 4
Laboratory for Information Security Technology
4
An Uncertain World• Uncertain threat
– We are always fighting the last war
• Technological change– Pervasive (ubiquitous) computing– Peer-to-peer, grid and utility computing– Intel’s LaGrande and Microsoft’s Longhorn– The next Intel, Microsoft, Cisco, ….
• Business change– Outsourcing and globalization
Page 5
Laboratory for Information Security Technology
5
Cyber-Identity Megatrends
• Federated identity– Identity relying party is NOT the identity provider– Who will be the DMV in cyberspace?
• Grades of identity– Identity vetting, authentication strength, purpose,
privacy– A single infrastructure to drive all grades
Page 6
Laboratory for Information Security Technology
6
Cyber-Identity Mega-Challenges• Pervasive (ubiquitous) computing
– How can a user get effective control of identity in a pervasive environment
• Ad-hoc peer-to-peer computing– First responders in an emergency
• Trustworthy computing– Will Intel’s LaGrande technology or Microsoft’s
Longhorn help us save the day
Page 7
Laboratory for Information Security Technology
7
RBAC96 Model
ROLES
USER-ROLEASSIGNMENT
PERMISSIONS-ROLEASSIGNMENT
USERS PERMISSIONS
... SESSIONS
ROLE HIERARCHIES
CONSTRAINTS
Page 8
Laboratory for Information Security Technology
8
Usage Control (UCON) Coverage
• Protection Objectives– Sensitive information
protection– IPR protection– Privacy protection
• Protection Architectures– Server-side reference
monitor– Client-side reference
monitor– SRM & CRMServer-side
Reference Monitor(SRM)
Client-sideReference Monitor
(CRM)
TraditionalAccessControl
TrustManagement
Usage ControlSensitive
InformationProtection
IntellectualProperty Rights
Protection
PrivacyProtection
DRM
SRM & CRM
Page 9
Laboratory for Information Security Technology
9
UCON_ABC Models
Rights(R)
UsageDecision
Authoriza-tions (A)
Subjects(S)
Objects(O)
Subject Attributes(ATT(S))
Object Attributes(ATT(O))
Obligations(B)
Conditions(C)
Continuity Decision can be made during usage for continuous enforcement
MutabilityAttributes can be updated as side-effects of subjects’ actions
Usage
Continuity ofDecisions
pre
Before After
ongoing N/A
pre ongoing postMutability of
Attributes
Page 10
Laboratory for Information Security Technology
10
Conclusion
• Managing cyber-identity and authorization in an uncertain world is one of our nation’s foremost cyber-security problems
• RBAC and UCON will be essential underpinnings of the solutions
• GMU is a world leader in this sector