Extending Access Control Models with Break-glass

on

  • 470 views

Access control models are usually static, i.e., permissions are granted based on a policy that only changes seldom. Especially for scenarios in health care and disaster management, a more flexible ...

Access control models are usually static, i.e., permissions are granted based on a policy that only changes seldom. Especially for scenarios in health care and disaster management, a more flexible support of access control, i.e., the underlying policy, is needed.

Break-glass is one approach for such a flexible support of policies which helps to prevent system stagnation that could harm lives or otherwise result in losses. Today, break-glass techniques are usually added on top of standard access control solutions in an ad-hoc manner and, therefore, lack an integration into the underlying access control paradigm and the systems' access control enforcement architecture.

We present an approach for integrating, in a fine-grained manner, break-glass strategies into standard access control models and their accompanying enforcement architecture. This integration provides means for specifying break-glass policies precisely and supporting model-driven development techniques based on such policies.

Statistics

Views

Total Views
470
Views on SlideShare
467
Embed Views
3

Actions

Likes
0
Downloads
1
Comments
0

1 Embed 3

http://www.brucker.ch 3

Accessibility

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Extending Access Control Models with Break-glass Extending Access Control Models with Break-glass Presentation Transcript

  • Extending Access Control Models with Break-glass Achim D. Brucker Helmut Petritsch {achim.brucker, helmut.petritsch}@sap.com Vincenz-Priessnitz-Str. ,  Karlsruhe, Germany ACM Symposium on Access Control Models and Technologies (SACMAT ) Stresa, Italy, th June 
  • Outline  Motivation  Break-glass: The Main Idea  A Generic Architecture Supporting Break-glass  Extending Model-driven Security  Conclusion and Future Work
  • Motivation Our Vision Assume, we are a nurse trying to access the patient record of Peter Meier ... A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • Motivation Our Vision A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • Motivation Our Vision A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • Motivation Break-glass or Overriding Access Control While often motivated with health care or public security scenarios, also enterprises demand break-glass solutions: for preventing stagnation on the system administration level and for preventing stagnation on the business process level. In fact, state of the art enterprise systems support break-glass, e.g., Virsa Firefighter for SAP, Oracle’s Role Manager. A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • Motivation The Situation Today Mostly implemented using pre-staged accounts that are either stored in sealed covers or electronically issued on request. Break-glass solutions should cover the creation of break-glass accounts, the distribution pre-staged accounts, the monitoring of the use of break-glass accounts, and the cleanup after an break-glass situation. This solution is quite coarse-grained and not integrated into regular access control. A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • Outline  Motivation  Break-glass: The Main Idea  A Generic Architecture Supporting Break-glass  Extending Model-driven Security  Conclusion and Future Work
  • Break-glass: The Main Idea Observations and Goals During discussions with end users, we observed: depending on the situation, different overrides can be justified some restrictions can never be overridden The two main design goals are: access-control decisions should be overrideable on a per permission basis and fine-grained configuration of the restrictions that can be overridden. A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • Break-glass: The Main Idea Emergeny Levels Definition A policy p refines a policy p′ (written p ⊑ p′) if and only if the set of system traces that are allowed under p is a subset of the system traces that are allowed under p′. A policy p refines a policy p′ iff p is at least as restrictive as p′. p⊺ is the policy that allows all actions and p is the policy that denies all actions. p refines all policies and every policy is a refinement of p⊺. PA be the set of all policies of the access control model A. (PA, ⊑, p , p⊺) is a lattice. A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • Break-glass: The Main Idea Regular Policies and Emergeny Policies Definition We refer to the regular policy, i. e., the policy that should be obeyed in normal operations, as preg and we refer to the set of policies that are refined by the regular policy, i. e., LA = {p p ∈ PA ∧ preg ⊑ p ∧ p ≠ preg } as emergency levels or emergency policies of the policy preg. We require that (PA ∖ p , ⊑, preg, p⊺) is a lattice, i. e., inf(PA ∖ p ) = preg. An emergency level can be active or inactive. Only active emergency levels contribute to the access control decision. The regular policy is always active. A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • Break-glass: The Main Idea Hierarchical Break-glass Access Control An access that is only granted by an emergency policy ℓ ∈ LA is called override access. Override accesses are only granted if there is an active policy granting access. Obligations can be attached to an (emergency) policy, i.e., requiring user confirmations or for activating monitoring. By evaluating the policies in topological order, the refinement relation holds by construction! A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • Outline  Motivation  Break-glass: The Main Idea  A Generic Architecture Supporting Break-glass  Extending Model-driven Security  Conclusion and Future Work
  • A Generic Architecture Supporting Break-glass Break-glass Architecture: Main Idea The break-glass policy combination strategy can be implemented by a meta PDP. The Break-glass PDP implements the break-glass policy combination strategy on top of existing PDPs User confirmations can be implemented using obligations: the various PDPs need to support obligations the various PEPs need to support obligations the user interface needs to support confirmation requests Break-glass does not impose restrictions on the underlying access control model! A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • A Generic Architecture Supporting Break-glass A Generic Break-glass Architecture User Interface Confirmation Handler Obligation Support Protected Resource PEP Break-glass PDP Single Sign-on Existing PDP(s) Obligation Support Policy Manager Authentication 1 4 2 3 3 3a 3b A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • Outline  Motivation  Break-glass: The Main Idea  A Generic Architecture Supporting Break-glass  Extending Model-driven Security  Conclusion and Future Work
  • Extending Model-driven Security The Model-driven Security Vision A Tool-supported and Security-aware Formal Model-driven Engineering Process 1..∗ Role Class + Public Method # Protected Method attribute: Type − Private Method Class + Public Method # Protected Method attribute: Type − Private Method Class + Public Method # Protected Method attribute: Type − Private Method Model TransformationDesign Phase Phase Verification and Code−generation Phase Deployment Phase Testing and UML/OCL (XMI) or SecureUML/OCL Code Generator Repository Model (su4sml) Model−Analysis and Verification (HOL−OCL) Transformation Model HOL−TestGen ArgoUML AC Config C# +OCL Test Harness manual Code Proof Obligations Test Data Program Generation Validation A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • Extending Model-driven Security The Model-driven Security Vision A Tool-supported and Security-aware Formal Model-driven Engineering Process 1..∗ Role Class + Public Method # Protected Method attribute: Type − Private Method Class + Public Method # Protected Method attribute: Type − Private Method Class + Public Method # Protected Method attribute: Type − Private Method Model TransformationDesign Phase Phase Verification and Code−generation Phase Deployment Phase Testing and UML/OCL (XMI) or SecureUML/OCL Code Generator Repository Model (su4sml) Model−Analysis and Verification (HOL−OCL) Transformation Model HOL−TestGen ArgoUML AC Config C# +OCL Test Harness manual Code Proof Obligations Test Data Program Generation Validation Generic SecureUML ArgoUML−plugin A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • Extending Model-driven Security The Model-driven Security Vision A Tool-supported and Security-aware Formal Model-driven Engineering Process 1..∗ Role Class + Public Method # Protected Method attribute: Type − Private Method Class + Public Method # Protected Method attribute: Type − Private Method Class + Public Method # Protected Method attribute: Type − Private Method Model TransformationDesign Phase Phase Verification and Code−generation Phase Deployment Phase Testing and UML/OCL (XMI) or SecureUML/OCL Code Generator Repository Model (su4sml) Model−Analysis and Verification (HOL−OCL) Transformation Model HOL−TestGen ArgoUML AC Config C# +OCL Test Harness manual Code Proof Obligations Test Data Program Generation Validation Transformations: SecureUML −> UML/OCL UML/OCL −> UML/OCL A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • Extending Model-driven Security The Model-driven Security Vision A Tool-supported and Security-aware Formal Model-driven Engineering Process 1..∗ Role Class + Public Method # Protected Method attribute: Type − Private Method Class + Public Method # Protected Method attribute: Type − Private Method Class + Public Method # Protected Method attribute: Type − Private Method Model TransformationDesign Phase Phase Verification and Code−generation Phase Deployment Phase Testing and UML/OCL (XMI) or SecureUML/OCL Code Generator Repository Model (su4sml) Model−Analysis and Verification (HOL−OCL) Transformation Model HOL−TestGen ArgoUML AC Config C# +OCL Test Harness manual Code Proof Obligations Test Data Program Generation Validation Code Generator SecureUML, UML, OCL Java, C#, Junit, XACL, USE, ... A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • Extending Model-driven Security The Model-driven Security Vision A Tool-supported and Security-aware Formal Model-driven Engineering Process 1..∗ Role Class + Public Method # Protected Method attribute: Type − Private Method Class + Public Method # Protected Method attribute: Type − Private Method Class + Public Method # Protected Method attribute: Type − Private Method Model TransformationDesign Phase Phase Verification and Code−generation Phase Deployment Phase Testing and UML/OCL (XMI) or SecureUML/OCL Code Generator Repository Model (su4sml) Model−Analysis and Verification (HOL−OCL) Transformation Model HOL−TestGen ArgoUML AC Config C# +OCL Test Harness manual Code Proof Obligations Test Data Program Generation Validation HOL−OCL formal analysis formal verification A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • Extending Model-driven Security The Model-driven Security Vision A Tool-supported and Security-aware Formal Model-driven Engineering Process 1..∗ Role Class + Public Method # Protected Method attribute: Type − Private Method Class + Public Method # Protected Method attribute: Type − Private Method Class + Public Method # Protected Method attribute: Type − Private Method Model TransformationDesign Phase Phase Verification and Code−generation Phase Deployment Phase Testing and UML/OCL (XMI) or SecureUML/OCL Code Generator Repository Model (su4sml) Model−Analysis and Verification (HOL−OCL) Transformation Model HOL−TestGen ArgoUML AC Config C# +OCL Test Harness manual Code Proof Obligations Test Data Program Generation Validation HOL−TestGen model−based unit test sequence testing A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • Extending Model-driven Security The Model-driven Security Vision A Tool-supported and Security-aware Formal Model-driven Engineering Process 1..∗ Role Class + Public Method # Protected Method attribute: Type − Private Method Class + Public Method # Protected Method attribute: Type − Private Method Class + Public Method # Protected Method attribute: Type − Private Method Model TransformationDesign Phase Phase Verification and Code−generation Phase Deployment Phase Testing and UML/OCL (XMI) or SecureUML/OCL Code Generator Repository Model (su4sml) Model−Analysis and Verification (HOL−OCL) Transformation Model HOL−TestGen ArgoUML AC Config C# +OCL Test Harness manual Code Proof Obligations Test Data Program Generation Validation A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • Extending Model-driven Security SecureUML Subject Group User Role Permission AuthorizationConstraint Action AtomicAction CompositeAction Resource0..* 0..* 1..* 0..* 0..* 1..* 0..*0..* 0..* 0..* 0..* 0..* 0..1 0..* 0..* SecureUML is a UML-based notation, provides abstract Syntax given by MOF compliant metamodel, is pluggable into arbitrary design modeling languages, is supported by an ArgoUML plugin. A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • Extending Model-driven Security SecureUML Subject Group User Role Permission AuthorizationConstraint Action AtomicAction CompositeAction Resource0..* 0..* 1..* 0..* 0..* 1..* 0..*0..* 0..* 0..* 0..* 0..* 0..1 0..* 0..* Policy Obligation 1..* 0..* 1..* 0..* 0..* 0..* SecureUML is a UML-based notation, provides abstract Syntax given by MOF compliant metamodel, is pluggable into arbitrary design modeling languages, is supported by an ArgoUML plugin. can easily be extended with support for break-glass. A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • Extending Model-driven Security Modeling Access Control with SecureUML MedicalRecord disease:String medication:String read():OclVoid update():OclVoid create():OclVoid Patient name:String 0..* owner 1 «secureuml.role» UserRole «secureuml.role» AdministratorRole «secureuml.permission» OwnerMedicalRecord MedicalRecord:read MedicalRecord:update MedicalRecord:delete caller=self.owner.name «secureuml.policy» LowEmergencyLevel «secureuml.policy» HighEmergencyLevel «secureuml.permission» EmergencyOwnerMedicalRecord MedicalRecord:read A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • Extending Model-driven Security ArgoUML Support A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • Extending Model-driven Security ArgoUML Support A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • Extending Model-driven Security Code Generation (Java and XACML) In case of XACML, we can generate the policies and the PDP configuration. In particular, we sort the policies topological, use the “first-applicable” combining algorithm of XACML, and exploit the obligations support of XACML. With respect to the application, we generate (stubs of) the business logic, the calls to PDP, and the PEP. A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • Outline  Motivation  Break-glass: The Main Idea  A Generic Architecture Supporting Break-glass  Extending Model-driven Security  Conclusion and Future Work
  • Conclusion and Future Work Conclusion and Future Work We presented a a generic break-glass model that allows the fine-grained, overriding of access control decisions, an generic architecture for implementing break-glass, an extension of SecureUML supporting break-glass, and the mapping of break-glass to XACML Future work includes the integration and development of analysis techniques for user providing feedback to the user, break-glass concepts for IT compliance, and techniques for a posteriori analysis of incidents. A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  
  • Thank you for your attention! Any questions or remarks?
  • Bibliography Bibliography Achim D. Brucker and Helmut Petritsch. Extending access control models with break-glass. In ACM symposium on access control models and technologies (SACMAT), pages –. ACM Press, . A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT  