Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Access Control
Models: Controlling
Resource
Authorization
Access Control Models:
Controlling Resource
Authorization
Mark Niebergall
@mbniebergall
About Mark Niebergall
▪ PHP since 2005
▪ MS degree in MIS
▪ Senior Software Engineer
▪ UPHPU President
▪ SSCP, CSSLP Certi...
Overview
Overview
Access request flow
Define applicable terminology
Cover primary Access Control Models
Discuss pros and cons of ea...
Access Request
Flow
Request Resource
Access
Authorize Request
Authenticate
Subject
Request Resource
Access
Authorize Request
Authenticate
Subject
Authentication
Authentication
Know Own Are
Authentication
You are who you say you are
Verify identity
Subject
Subject
Also known as requestor
Human or non-person entity (NPE)
Subject
Making request to access resource
Request Resource
Access
Authorize Request
Authenticate
Subject
Request Resource
Access
Authorize Request
Authenticate
Subject
Resource
Resource
Also known as object
Protected from unauthorized use
Resource
Something the system has or does
▪ Data
▪ Functionality
▪ Hardware
Request Resource
Access
Authorize Request
Authenticate
Subject
Request Resource
Access
Authorize Request
Authenticate
Subject
Authorization
Authorization
Allow an authenticated subject
access to a resource
Authorization
Allow or deny
Subject action on object (CRUD)
Request Resource
Access
Authorize Request
Authenticate
Subject
Request Resource
Access
Authorize Request
Authenticate
Subject
Access Control Model
Definitions
Questions?
Authentication
Authorization
Subject
Resource
Access Control
Model
Access Control Model
Dictates who gets to do what
Access Control Model
Framework for making authorization
decisions
Access Control Model
Deciding subject access to
resources
Access Control Model
#4 on 2017 OWASP Top 10: Broken
Access Control
Access Control Model
Primary Access Control Models
▪ DAC: Discretionary
▪ MAC: Mandatory
▪ RBAC: Role Based
▪ ABAC: Attrib...
1
Discretionary (DAC)
DAC
House keys
Email
DAC
DAC
Files on system
DAC
Clans in gaming
DAC
Subject Resource
DAC
Object owner grants permission
based on subject identity
Access Control List (ACL)
Deny by default
DAC
Subject Resource Authorization
Alice Report Allow
Alice Finance Deny
Alice Customer Allow
Bob Report Allow
Bob Finance...
DAC
SELECT is_allow
FROM acl
WHERE subject = ‘Alice’
AND resource = ‘Customer’
LIMIT 1;
DAC
$acl = new Acl;
$alice = new User(‘Alice’);
$bob = new User(‘Bob’);
$customer = new Resource(‘Customer’);
$acl->allow(...
DAC
Simple implementation
High operational overhead
Access at discretion of resource
owner
DAC
Questions?
2
Mandatory (MAC)
MAC
Classified documents
MAC
Military intelligence
MAC
Blog
MAC
Leveled-up character in game
MAC
Search engine rules
MAC
Top Secret
Secret
Confidential
Subject Classification Resource
MAC
Object sensitivity
Subject security level or clearance
Write up, read down
MAC
Owner sets object label
System sets subject security level
MAC
Subject Security
Level
Object Label
Top Secret Secret Confidential
Top Secret Allow Allow Allow
Secret Deny Allow Allo...
Subject Security Level
Alice Top Secret
Bob Secret
Clara Confidential
Object Label
Report Top Secret
Finance Secret
Custom...
MAC
Subject: Security
Level
Object: Label
Report: Top
Secret
Finance: Secret
Customer:
Confidential
Alice: Top Secret Allo...
MAC
SELECT s.security_level
FROM subject s
JOIN security_level sl_s
ON sl_s.name = s.name
JOIN resource r
ON r.resource = ...
MAC
$accessControl = new Mac;
$topSecret = new Level(‘Top Secret’);
$secret = new Level(‘Secret’);
$alice = new User(‘Alic...
MAC
Multilevel security
System and owner determine access
No flexibility
Moderate overhead
MAC
Questions?
3
Role Based (RBAC)
RBAC
Amazon Prime
RBAC
User roles on a computer
RBAC
Medical care staff
RBAC
LARPing
RBAC
Multiplayer Games
RBAC
Role A
Role B
Role C
Role D
Subject Role Resource
RBAC
Subject assigned to role
Role granted access to resource
RBAC
Subject Role
Alice Accounting
Alice Orders
Bob Payroll
Clara Orders
Clara Reporting
Role Resource
Accounting Finance
...
RBAC
SELECT sr.subject, rr.resource
FROM subject_role sr
JOIN role_resource rr
ON rr.subject = sr.subject
AND rr.role = sr...
RBAC
$accessControl = new Rbac;
$accounting = new Role(‘Accounting’);
$ordering = new Role(‘Ordering’);
$alice = new User(...
RBAC
Role explosion
Toxic combinations
RBAC
Very common
Lower overhead
More scalable
RBAC
Questions?
4
Attribute Based (ABAC)
ABAC
Electronic key card system
ABAC
Credit card with monitoring
ABAC
Airport security check
ABAC
Gaming activities
ABAC
Conditional authorization based on
attributes
ABAC
Policy driven
ABAC
Subject Action Resource Environment
Policy
ABAC
Subject Action Environment Resource Access
Manager Create Region A Customer Allow
Manager Update Region B Customer De...
ABAC
Subject attributes
Action attributes
Resource attributes
Environment attributes
ABAC
Subject attributes
▪ Who
▪ Where
▪ Roles
▪ Affiliation
▪ Clearance
ABAC
Action attributes
▪ Create, POST
▪ Read, GET
▪ Update, PUT
▪ Delete, DELETE
▪ Execute
ABAC
Resource attributes
▪ Type
▪ Owner
▪ Classification
ABAC
Environment attributes
▪ Time
▪ Network
▪ Operating system
▪ Encryption method
ABAC
Policy Enforcement Point (PEP)
Policy Decision Point (PDP)
PEP sends authorization request to
PDP
ABAC
Gartner predicts 70% of all
businesses will use ABAC by 2020
Keeps eyes on ABAC
ABAC
Attempt to standardize ABAC
policies into XML format is mostly
dead, eXtensible Access Control
Markup Language (XACML)
ABAC
Refined access
Meets demand for more advanced
access control
API access control
ABAC
Typically start with RBAC
implementation and then build onto
it with policies
Custom implementation so no example
ABAC
Questions?
Implementation
Considerations
Considerations
Model Development Operational
DAC
MAC
RBAC
ABAC
Considerations
Model Scalability Granularity Sensitivity
DAC
MAC
RBAC
ABAC
Implementation Considerations
Use cases for application
Sensitivity of resources
Scalability of model
Granularity requirem...
Implementation Considerations
Existing frameworks and projects
APIs, external interfaces
Implementation Considerations
Questions?
Review
Review
Review
DAC: simple, high overhead, ACL
MAC: user and resource
classification
RBAC: most common, role driven,
smaller overh...
Review
Operational overhead vs
authorization needs
Consider current implementation
Consider future implementation
Credits
CREDITS
▪ NIST publication on ABAC
http://nvlpubs.nist.gov/nistpubs/specialpublications/NI
ST.sp.800-162.pdf
▪ ABAC for ZF...
Thanks!
Questions?
Mark Niebergall
@mbniebergall
Upcoming SlideShare
Loading in …5
×

Access Control Models: Controlling Resource Authorization

4,712 views

Published on

There are various access control models, each with a specific intent and purpose. Determining the ideal model for an application can help ensure proper authorization to application resources. Each of the primary models will be covered, including the MAC, DAC, RBAC, and ABAC Access Control models. Examples, challenges, and benefits of each will be discussed to provide a further insight into which solution may best serve an application. Application sensitivity, regulations, and privacy may drive which model is selected.

Published in: Software

Access Control Models: Controlling Resource Authorization

  1. 1. Access Control Models: Controlling Resource Authorization
  2. 2. Access Control Models: Controlling Resource Authorization Mark Niebergall @mbniebergall
  3. 3. About Mark Niebergall ▪ PHP since 2005 ▪ MS degree in MIS ▪ Senior Software Engineer ▪ UPHPU President ▪ SSCP, CSSLP Certified and SME ▪ Drones, fishing, skiing, father, husband
  4. 4. Overview
  5. 5. Overview Access request flow Define applicable terminology Cover primary Access Control Models Discuss pros and cons of each model
  6. 6. Access Request Flow
  7. 7. Request Resource Access Authorize Request Authenticate Subject
  8. 8. Request Resource Access Authorize Request Authenticate Subject
  9. 9. Authentication
  10. 10. Authentication Know Own Are
  11. 11. Authentication You are who you say you are Verify identity
  12. 12. Subject
  13. 13. Subject Also known as requestor Human or non-person entity (NPE)
  14. 14. Subject Making request to access resource
  15. 15. Request Resource Access Authorize Request Authenticate Subject
  16. 16. Request Resource Access Authorize Request Authenticate Subject
  17. 17. Resource
  18. 18. Resource Also known as object Protected from unauthorized use
  19. 19. Resource Something the system has or does ▪ Data ▪ Functionality ▪ Hardware
  20. 20. Request Resource Access Authorize Request Authenticate Subject
  21. 21. Request Resource Access Authorize Request Authenticate Subject
  22. 22. Authorization
  23. 23. Authorization Allow an authenticated subject access to a resource
  24. 24. Authorization Allow or deny Subject action on object (CRUD)
  25. 25. Request Resource Access Authorize Request Authenticate Subject
  26. 26. Request Resource Access Authorize Request Authenticate Subject Access Control Model
  27. 27. Definitions Questions? Authentication Authorization Subject Resource
  28. 28. Access Control Model
  29. 29. Access Control Model Dictates who gets to do what
  30. 30. Access Control Model Framework for making authorization decisions
  31. 31. Access Control Model Deciding subject access to resources
  32. 32. Access Control Model #4 on 2017 OWASP Top 10: Broken Access Control
  33. 33. Access Control Model Primary Access Control Models ▪ DAC: Discretionary ▪ MAC: Mandatory ▪ RBAC: Role Based ▪ ABAC: Attribute Based
  34. 34. 1 Discretionary (DAC)
  35. 35. DAC House keys
  36. 36. Email DAC
  37. 37. DAC Files on system
  38. 38. DAC Clans in gaming
  39. 39. DAC Subject Resource
  40. 40. DAC Object owner grants permission based on subject identity Access Control List (ACL) Deny by default
  41. 41. DAC Subject Resource Authorization Alice Report Allow Alice Finance Deny Alice Customer Allow Bob Report Allow Bob Finance Deny Bob Customer Deny
  42. 42. DAC SELECT is_allow FROM acl WHERE subject = ‘Alice’ AND resource = ‘Customer’ LIMIT 1;
  43. 43. DAC $acl = new Acl; $alice = new User(‘Alice’); $bob = new User(‘Bob’); $customer = new Resource(‘Customer’); $acl->allow($alice, $customer); $acl->deny($bob, $customer); $acl->isAllowed($alice, $customer); $acl->isAllowed($bob, $customer);
  44. 44. DAC Simple implementation High operational overhead Access at discretion of resource owner
  45. 45. DAC Questions?
  46. 46. 2 Mandatory (MAC)
  47. 47. MAC Classified documents
  48. 48. MAC Military intelligence
  49. 49. MAC Blog
  50. 50. MAC Leveled-up character in game
  51. 51. MAC Search engine rules
  52. 52. MAC Top Secret Secret Confidential Subject Classification Resource
  53. 53. MAC Object sensitivity Subject security level or clearance Write up, read down
  54. 54. MAC Owner sets object label System sets subject security level
  55. 55. MAC Subject Security Level Object Label Top Secret Secret Confidential Top Secret Allow Allow Allow Secret Deny Allow Allow Confidential Deny Deny Allow
  56. 56. Subject Security Level Alice Top Secret Bob Secret Clara Confidential Object Label Report Top Secret Finance Secret Customer Confidential MAC Level Name 1 Top Secret 2 Secret
  57. 57. MAC Subject: Security Level Object: Label Report: Top Secret Finance: Secret Customer: Confidential Alice: Top Secret Allow Allow Allow Bob: Secret Deny Allow Allow Clara: Confidential Deny Deny Allow
  58. 58. MAC SELECT s.security_level FROM subject s JOIN security_level sl_s ON sl_s.name = s.name JOIN resource r ON r.resource = ‘Report’ JOIN security_level sl_r ON sl_r.name = r.name AND sl_r.level <= sl_s.level WHERE s.subject = ‘Alice’ LIMIT 1;
  59. 59. MAC $accessControl = new Mac; $topSecret = new Level(‘Top Secret’); $secret = new Level(‘Secret’); $alice = new User(‘Alice’); $bob = new User(‘Bob’); $finances = new Resource(‘Finances’); $accessControl->addLevel($topSecret, 1) ->addLevel($secret, 2); $accessControl->addUser($alice, $topSecret) ->addUser($bob, $secret); $accessControl->addResource($finances, $secret); $accessControl->isAllowed($alice, $finances);
  60. 60. MAC Multilevel security System and owner determine access No flexibility Moderate overhead
  61. 61. MAC Questions?
  62. 62. 3 Role Based (RBAC)
  63. 63. RBAC Amazon Prime
  64. 64. RBAC User roles on a computer
  65. 65. RBAC Medical care staff
  66. 66. RBAC LARPing
  67. 67. RBAC Multiplayer Games
  68. 68. RBAC Role A Role B Role C Role D Subject Role Resource
  69. 69. RBAC Subject assigned to role Role granted access to resource
  70. 70. RBAC Subject Role Alice Accounting Alice Orders Bob Payroll Clara Orders Clara Reporting Role Resource Accounting Finance Accounting Reports Orders Inventory Orders Shipments Payroll Finance
  71. 71. RBAC SELECT sr.subject, rr.resource FROM subject_role sr JOIN role_resource rr ON rr.subject = sr.subject AND rr.role = sr.role WHERE sr.subject = ‘Alice’ AND rr.resource = ‘Report’ LIMIT 1;
  72. 72. RBAC $accessControl = new Rbac; $accounting = new Role(‘Accounting’); $ordering = new Role(‘Ordering’); $alice = new User(‘Alice’); $bob = new User(‘Bob’); $inventory = new Resource(‘Inventory’); $accessControl->addRole($accounting) ->addRole($ordering); $accessControl->addUser($alice) ->addUser($bob); $accessControl->addResource($inventory); $accessControl->addUserToRole($alice, $accounting); $accessControl->addResourceToRole($inventory, $ordering); $accessControl->isAllowed($alice, $ordering); $accessControl->isAllowed($bob, $inventory);
  73. 73. RBAC Role explosion Toxic combinations
  74. 74. RBAC Very common Lower overhead More scalable
  75. 75. RBAC Questions?
  76. 76. 4 Attribute Based (ABAC)
  77. 77. ABAC Electronic key card system
  78. 78. ABAC Credit card with monitoring
  79. 79. ABAC Airport security check
  80. 80. ABAC Gaming activities
  81. 81. ABAC Conditional authorization based on attributes
  82. 82. ABAC Policy driven
  83. 83. ABAC Subject Action Resource Environment Policy
  84. 84. ABAC Subject Action Environment Resource Access Manager Create Region A Customer Allow Manager Update Region B Customer Deny Data Entry Create Region A Any Hour Customer Allow Data Entry Create Region B Day Shift Customer Allow Data Entry Create Region B After hours Customer Deny
  85. 85. ABAC Subject attributes Action attributes Resource attributes Environment attributes
  86. 86. ABAC Subject attributes ▪ Who ▪ Where ▪ Roles ▪ Affiliation ▪ Clearance
  87. 87. ABAC Action attributes ▪ Create, POST ▪ Read, GET ▪ Update, PUT ▪ Delete, DELETE ▪ Execute
  88. 88. ABAC Resource attributes ▪ Type ▪ Owner ▪ Classification
  89. 89. ABAC Environment attributes ▪ Time ▪ Network ▪ Operating system ▪ Encryption method
  90. 90. ABAC Policy Enforcement Point (PEP) Policy Decision Point (PDP) PEP sends authorization request to PDP
  91. 91. ABAC Gartner predicts 70% of all businesses will use ABAC by 2020 Keeps eyes on ABAC
  92. 92. ABAC Attempt to standardize ABAC policies into XML format is mostly dead, eXtensible Access Control Markup Language (XACML)
  93. 93. ABAC Refined access Meets demand for more advanced access control API access control
  94. 94. ABAC Typically start with RBAC implementation and then build onto it with policies Custom implementation so no example
  95. 95. ABAC Questions?
  96. 96. Implementation Considerations
  97. 97. Considerations Model Development Operational DAC MAC RBAC ABAC
  98. 98. Considerations Model Scalability Granularity Sensitivity DAC MAC RBAC ABAC
  99. 99. Implementation Considerations Use cases for application Sensitivity of resources Scalability of model Granularity requirements
  100. 100. Implementation Considerations Existing frameworks and projects APIs, external interfaces
  101. 101. Implementation Considerations Questions?
  102. 102. Review
  103. 103. Review
  104. 104. Review DAC: simple, high overhead, ACL MAC: user and resource classification RBAC: most common, role driven, smaller overhead ABAC: most advanced, policy driven
  105. 105. Review Operational overhead vs authorization needs Consider current implementation Consider future implementation
  106. 106. Credits
  107. 107. CREDITS ▪ NIST publication on ABAC http://nvlpubs.nist.gov/nistpubs/specialpublications/NI ST.sp.800-162.pdf ▪ ABAC for ZF2 https://github.com/Eye4web/Eye4webZf2Abac/blob/master/d ocs/README.md ▪ Presentation template by SlidesCarnival ▪ Axiomatics webinar, May 2014 http://www.slideshare.net/Axiomatics/attribute-based-ac cess-control-for-data-protection-webinar-may-8 ▪ OWASP https://www.owasp.org/index.php/Category:OWASP_Top_Ten_ Project
  108. 108. Thanks! Questions? Mark Niebergall @mbniebergall

×