SlideShare a Scribd company logo

Generalized attribute centric access control

Download as PPT, PDF
A
arj_presenter

This document summarizes a thesis proposal presentation on generalized attribute centric access control. The presentation covered the problem statement of achieving completely mediated access control in dynamic environments where privacy and anonymity are important. It discussed limitations of traditional access control models and reviewed literature on attribute based access control. The proposed solution involved developing a family of attribute centric access control models that are context sensitive, fine-grained, and multi-factor. Potential applications and impact were also discussed.

Technology
1 of 43
Generalized Attribute Centric Access Control Arjumand Fatima, December 12, 2014 Thesis Proposal Defense
02/04/15 Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 2 Supervisor: Dr. Abdul Ghafoor GEC: Dr. M. Awais Shibli Mr. Faisal Khan Ms. Hirra Anwar Arjumand Fatima Thesis Proposal Defense SEECS-NUST Islamabad Generalized Attribute Centric Access Control
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad  Problem Statement  Introduction  Literature Review  Proposed Solution  Abstract Architecture  Impact  Applications  References 3 Agenda
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad  Achieving completely mediated access control using existing models is a challenge in dynamic environments, where ensuring privacy and anonymity is essential, and fine-grained, flexible and multi-factor authorization is required. 4 Problem Statement
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad  Controlling access to sensitive resources  Access is controlled based on different factors such as identity, role and attributes 5 Introduction
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Evolution of Access Control  Role-Based Access Control (RBAC)  Limitations of Traditional Access Control Models  Addressing the Limitations of Traditional Access Control Models • Extended Role Based Access Control Models • Attribute Based Access Control (ABAC) Model  Extended RBAC Models and their limitations  Attribute Based Access Control (ABAC) Model  The Conventional Debate: RBAC vs ABAC 6 Literature Review
1996 20011992 2007 2009 - 2014 Pre RBAC Early RBAC Standard RBAC Pre ABAC Extended RBAC Early ABAC RBAC vs ABAC Role Centric A t t r i b u t e C e n t r i C MAC DAC volution of Access Control
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 8 Role Based Access Control OPS OBS PRMS ROLESUSERS SSD DSDSESSIONS (UA) User Assignment (PA) Permission Assignment (RH) Role Hierarchy Session rolesUser Session OBS = Objects OPS = Operations PRMS = Permissions SSD= Separation of Duty DSD = Dynamic Separation of Duty
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Limitations of RBAC  Role Engineering  Role Activation  Role Engineering
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Limitations of RBAC  Role Engineering  Role Activation  Role Engineering
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 11 Challenges in Traditional Access Control Access Control Models User Centric Rigid Static One Time Identity Based Coarse Grained Context Insensitive Single Factor
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Context Sensitivity
02/04/15 13 Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Context Sensitive Access Control Context Based Access Control Context Aware Access Control  Inherently context sensitive  Attribute Based Access Control (ABAC) Model  Extensions built on top of a context insensitive model  Extended Role Based Access Control (RBAC) Models
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Extended RBAC Models Team Based Environmental Roles Time Based Location Based
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Limitations of Extended RBAC Models Role Centric Too Complex Too Specific
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 16 Challenges in Traditional Access Control Access Control Models Rigid One Time Identity Based Coarse Grained Single Factor
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Attribute Based Access Control (ABAC) Subject Attributes Resource Attributes Environment Attributes Controls access based on the attributes of Subject, Resource as well as Environment. This provides a greater flexibility for making access control decisions as compared to traditional methods which were mostly subject-centric and did not consider resource or environment as the primary factor.
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad The Conventional Debate RBAC Model ABAC Model
02/04/15 19 Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad The Conventional Debate ABAC RBAC • Newer • Simpler to implement • Attribute-Centric • Dynamically changing environments • Attribute Engineering • Difficult to audit permissions • Outdated • Expensive to implement • Role-Centric • Static environments • Role Engineering • Simplified auditing of resources
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Adding Attributes To Role Based Access Control Option User ID Role Attribute Model 0 0 0 0 Undefined 1 0 0 1 ABAC-basic 2 0 1 0 Undefined 3 0 1 1 ABAC-RBAC hybrid 4 1 0 0 ACL 5 1 0 1 ABAC-ID 6 1 1 0 RBAC-basic 7 1 1 1 RBAC-A dynamic roles 8 1 1 1 RBAC-A role centric 9 1 1 1 RBAC-A attribute centric • Assigning permissions to roles • Adding further constraints based on attributes • Still role centric
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad  Need Analysis  Existing Work on Attribute Centric Solution  Common Misconceptions  Our Contribution  Core Components  Access Control Mechanism  Family of Access Control Models  Potential Impact  Validity of Proposed Solution 21 Proposed Solution
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Attribute Centric Access Control (AC)2 Role-Less Environments Anonymous Users Flexible On-Going Control Fine GrainedMulti-Factor
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Existing Work on Attribute Centric Solutions Attribute Based Access Control (ABAC) Model Already exists but still in nascent state
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Existing Work on Attribute Centric Solutions Lack of Standard Before 2014 Details Still Missing
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Common Misconceptions ABAC Myth RBAC Attribute Role Reality
02/04/15 26 Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Common Misconceptions Myth Reality • Auditing permissions is easy in RBAC • Reviewing permissions is difficult in ABAC • User-Role review is easy • Permission-Role review is challenging • We need to divide permission auditing into smaller tasks for ABAC as well • ABAC Model offers fine-grained access control • ABAC Model offers multi-factor access control
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad  Achieving completely mediated access control using existing models is a challenge in dynamic environments, where ensuring privacy and anonymity is essential, and fine-grained, flexible and multi-factor authorization is required. 27 Problem Statement
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad  Generalized Attribute Centric Access Control  Subject  Object  Environment  Operation  Rules  Permissions 28 Our Contribution Inherently context sensitive attributes <Action, User, Object, Environment> Ɛ Rule <Rule(s)> Ɛ Permission Where Rule= {Allow, Do not Allow}
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 29 Our Contribution User Resource Access Request PDP Policy Repository Find applicable policy PAP Store policies PIP Retrieve attributes Environment attribute authority Resource attribute authoritySubject attribute authority Access Response Allow or deny access PEP Access Request
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Our Contribution Context Attribute Authority Context Provider Sensors Context Provider Context Provider Sensors Sensors
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 31 Our Contribution Attribute Centric Access Control Constrained (AC)2 Fine Grained(AC)2 Core (AC)2 Towards A Family of Access Control Models
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 32 Potential Impact Interoperability Across Access Control Solutions Compliance and Assurance
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 33 Validity NIST ABAC Workshop, July 2013 Guide to Attribute Based Access Control (ABAC) Definition and Considerations, January 2014 SACMAT 2015 Call for PapersTreating ABAC as a single model would be a mistake. Towards an ABAC Family of Models
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 34 Potential Applications Small Teams with Overlapping Responsibilities (SMEs / SMBs)
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 35 Potential Applications Bring Your Own Device (BYOD) Security Authorization Challenges
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 36 Potential Applications Smart Classrooms (BYOD)
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 37 Potential Applications Restrictive Use of Corporate Devices For Personal Use
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 38 Timeline Literature Review TH-1 Form Submission Problem Identification Proposal Defense TH-2 Form Submission (15. 12. 2014) Implementation (31. 3. 2015) Testing and Evaluation (30. 4.2015) Research Paper Writing(10.5.2015) In-house Defense (15.5.2015) Final Defense (15.6.2015)
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 1. Park, Jaehong, and Ravi Sandhu. "Towards usage control models: beyond traditional access control." Proceedings of the seventh ACM symposium on Access control models and technologies. ACM, 2002. 2. Sandhu, Ravi S., and Pierangela Samarati. "Access control: principle and practice." Communications Magazine, IEEE 32.9 (1994): 40- 48. 3. Hwang, JeeHyun, Vincent Hu, and Tao Xie. "Paradigm in Verification of Access Control." Software Security and Reliability Companion (SERE-C), 2012 IEEE Sixth International Conference on. IEEE, 2012. 4. Hu, Vincent C., et al. "Guide to attribute based access control (ABAC) definition and considerations (draft)." NIST Special Publication 800 (2013): 162. 5. Sandhu, Ravi S. "Lattice-based access control models." Computer 26.11 (1993): 9-19. 6. Fuchs, Ludwig, Günther Pernul, and Ravi Sandhu. "Roles in information security–a survey and classification of the research area." computers & security 30.8 (2011): 748-769. 3. Jin, Xin, Ram Krishnan, and Ravi Sandhu. "A unified attribute-based access control model covering DAC, MAC and RBAC." Data and applications security and privacy XXVI. Springer Berlin Heidelberg, 2012. 41-55. 4. Giuri, Luigi, and Pietro Iglio. "Role templates for content-based access control." Proceedings of the second ACM workshop on Role- based access control. ACM, 1997. 5. Al-Kahtani, Mohammad A., and Ravi Sandhu. "Induced role hierarchies with attribute-based RBAC." Proceedings of the eighth ACM symposium on Access control models and technologies. ACM, 2003. 6. Ferraiolo, David F., et al. "Proposed NIST standard for role-based access control." ACM Transactions on Information and System Security (TISSEC) 4.3 (2001): 224-274. 39 References
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 11. INCITS, ANSI. "INCITS 359-2004. Role-Based Access Control." American Nat’l Standard for Information Technology (2004). 12. Sandhu, Ravi, David Ferraiolo, and Richard Kuhn. "The NIST model for role-based access control: towards a unified standard." ACM workshop on Role-based access control. Vol. 2000. 2000. 12. Fuchs, Ludwig, and Günther Pernul. "HyDRo–Hybrid Development of Roles." Information Systems Security. Springer Berlin Heidelberg, 2008. 287-302. 13. Wang, Lingyu, Duminda Wijesekera, and Sushil Jajodia. "A logic-based framework for attribute based access control." Proceedings of the 2004 ACM workshop on Formal methods in security engineering. ACM, 2004. 14. Lang, Bo, et al. "A flexible attribute based access control method for grid computing." Journal of Grid Computing 7.2 (2009): 169-180. 15. Covington, Michael J., et al. "Securing context-aware applications using environment roles." Proceedings of the sixth ACM symposium on Access control models and technologies. ACM, 2001. 16. Hansen, Frode, and Vladimir Oleshchuk. "SRBAC: A spatial role-based access control model for mobile systems." Proceedings of the 7th Nordic Workshop on Secure IT Systems (NORDSEC’03). 2003. 17. Yuan, Eric, and Jin Tong. "Attributed based access control (ABAC) for web services." Web Services, 2005. ICWS 2005. Proceedings. 2005 IEEE International Conference on. IEEE, 2005. 18. Wang, Qihua, et al. "On the correctness criteria of fine-grained access control in relational databases." Proceedings of the 33rd international conference on Very large data bases. VLDB Endowment, 2007. 19. Fischer, Jeffrey, et al. "Fine-grained access control with object-sensitive roles." ECOOP 2009–Object-Oriented Programming. Springer Berlin Heidelberg, 2009. 173-194. 40 References
Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 20. Fischer, Jeffrey, et al. "Fine-grained access control with object-sensitive roles." ECOOP 2009–Object-Oriented Programming. Springer Berlin Heidelberg, 2009. 173-194. 21. Tolone, William, et al. "Access control in collaborative systems." ACM Computing Surveys (CSUR) 37.1 (2005): 29-41. 22. Goyal, Vipul, et al. "Attribute-based encryption for fine-grained access control of encrypted data." Proceedings of the 13th ACM conference on Computer and communications security. ACM, 2006. 23. Al-Muhtadi, Jalal, et al. "Cerberus: a context-aware security scheme for smart spaces." Pervasive Computing and Communications, 2003.(PerCom 2003). Proceedings of the First IEEE International Conference on. IEEE, 2003. 24. Hulsebosch, R. J., et al. "Context sensitive access control." Proceedings of the tenth ACM symposium on Access control models and technologies. ACM, 2005. 25. http://www.oxforddictionaries.com/definition/english/context?searchDictCode=all 26. di Vimercati, S. De Capitani, Sara Foresti, and Pierangela Samarati. "Recent advances in access control." Handbook of Database Security. Springer US, 2008. 1-26. 27. di Vimercati, Sabrina De Capitani, Pierangela Samarati, and Sushil Jajodia. "Policies, models, and languages for access control." Databases in Networked Information Systems. Springer Berlin Heidelberg, 2005. 225-237. 28. Park, Jaehong, and Ravi Sandhu. "The UCON ABC usage control model." ACM Transactions on Information and System Security (TISSEC) 7.1 (2004): 128-174. 29. Coyne, Ed, and Timothy R. Weil. "ABAC and RBAC: Scalable, Flexible, and Auditable Access Management." IT Professional 15.3 (2013): 0014-16. 41 References
02/04/15 42 Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Questions ?
02/04/15 43 Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Thank You

Recommended

Attribute Based Access Control
Attribute Based Access ControlAttribute Based Access Control
Attribute Based Access Control
Chandra Sharma
 
IRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET- A Review On - Controlchain: Access Control using BlockchainIRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET Journal
 
G45014345
G45014345G45014345
G45014345
IJERA Editor
 
Distributed and Typed Role-based Access Control Mechanisms Driven by CRUD Exp...
Distributed and Typed Role-based Access Control Mechanisms Driven by CRUD Exp...Distributed and Typed Role-based Access Control Mechanisms Driven by CRUD Exp...
Distributed and Typed Role-based Access Control Mechanisms Driven by CRUD Exp...
ijcsta
 
Web-Based System for Software Requirements Quality Analysis Using Case-Based ...
Web-Based System for Software Requirements Quality Analysis Using Case-Based ...Web-Based System for Software Requirements Quality Analysis Using Case-Based ...
Web-Based System for Software Requirements Quality Analysis Using Case-Based ...
IOSR Journals
 
A03302001006
A03302001006A03302001006
A03302001006
theijes
 
IEEE Final Year Projects 2011-2012 :: Elysium Technologies Pvt Ltd::Knowledge...
IEEE Final Year Projects 2011-2012 :: Elysium Technologies Pvt Ltd::Knowledge...IEEE Final Year Projects 2011-2012 :: Elysium Technologies Pvt Ltd::Knowledge...
IEEE Final Year Projects 2011-2012 :: Elysium Technologies Pvt Ltd::Knowledge...
sunda2011
 
Verification of the protection services in antivirus systems by using nusmv m...
Verification of the protection services in antivirus systems by using nusmv m...Verification of the protection services in antivirus systems by using nusmv m...
Verification of the protection services in antivirus systems by using nusmv m...
ijfcstjournal
 

Recommended

Attribute Based Access Control
Attribute Based Access ControlAttribute Based Access Control
Attribute Based Access Control
Chandra Sharma
 
IRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET- A Review On - Controlchain: Access Control using BlockchainIRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET- A Review On - Controlchain: Access Control using Blockchain
IRJET Journal
 
G45014345
G45014345G45014345
G45014345
IJERA Editor
 
Distributed and Typed Role-based Access Control Mechanisms Driven by CRUD Exp...
Distributed and Typed Role-based Access Control Mechanisms Driven by CRUD Exp...Distributed and Typed Role-based Access Control Mechanisms Driven by CRUD Exp...
Distributed and Typed Role-based Access Control Mechanisms Driven by CRUD Exp...
ijcsta
 
Web-Based System for Software Requirements Quality Analysis Using Case-Based ...
Web-Based System for Software Requirements Quality Analysis Using Case-Based ...Web-Based System for Software Requirements Quality Analysis Using Case-Based ...
Web-Based System for Software Requirements Quality Analysis Using Case-Based ...
IOSR Journals
 
A03302001006
A03302001006A03302001006
A03302001006
theijes
 
IEEE Final Year Projects 2011-2012 :: Elysium Technologies Pvt Ltd::Knowledge...
IEEE Final Year Projects 2011-2012 :: Elysium Technologies Pvt Ltd::Knowledge...IEEE Final Year Projects 2011-2012 :: Elysium Technologies Pvt Ltd::Knowledge...
IEEE Final Year Projects 2011-2012 :: Elysium Technologies Pvt Ltd::Knowledge...
sunda2011
 
Verification of the protection services in antivirus systems by using nusmv m...
Verification of the protection services in antivirus systems by using nusmv m...Verification of the protection services in antivirus systems by using nusmv m...
Verification of the protection services in antivirus systems by using nusmv m...
ijfcstjournal
 
Abac and the evolution of access control
Abac and the evolution of access controlAbac and the evolution of access control
Abac and the evolution of access control
Akbar Azwir, MM, PMP, PMI-SP, PSM I, CISSP
 
2012 FEPA Presentation: Larry Hjalmarson
2012 FEPA Presentation: Larry Hjalmarson2012 FEPA Presentation: Larry Hjalmarson
2012 FEPA Presentation: Larry Hjalmarson
FloridaPipeTalk
 
NTXISSACSC3 - Managing Cyber Security Across the Enterprise by Asif Effendi
NTXISSACSC3 - Managing Cyber Security Across the Enterprise by Asif Effendi NTXISSACSC3 - Managing Cyber Security Across the Enterprise by Asif Effendi
NTXISSACSC3 - Managing Cyber Security Across the Enterprise by Asif Effendi
North Texas Chapter of the ISSA
 
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
NextLabs, Inc.
 
Semantic technologies for attribute based access: measurable security for the...
Semantic technologies for attribute based access: measurable security for the...Semantic technologies for attribute based access: measurable security for the...
Semantic technologies for attribute based access: measurable security for the...
Josef Noll
 
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerRole Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Prolifics
 
Enterprise & Web based Federated Identity Management & Data Access Controls
Enterprise & Web based Federated Identity Management & Data Access Controls Enterprise & Web based Federated Identity Management & Data Access Controls
Enterprise & Web based Federated Identity Management & Data Access Controls
Kingsley Uyi Idehen
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
idingolay
 
Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and Practice
Nabeel Yoosuf
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
Wajahat Rajab
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
Elimity
 
HEC Project Proposal_v1.0
HEC Project Proposal_v1.0HEC Project Proposal_v1.0
HEC Project Proposal_v1.0
Awais Shibli
 
Resume
ResumeResume
Resume
Siva Gonuguntla
 
Resume
ResumeResume
Resume
Siva Gonuguntla
 
Eng. nabeel rashid personnel resume
Eng. nabeel rashid personnel resumeEng. nabeel rashid personnel resume
Eng. nabeel rashid personnel resume
Nabeel Rashid
 
Hafizullah_CV
Hafizullah_CVHafizullah_CV
Hafizullah_CV
Hafeez Ullah
 
01_ICT Visit_ Project Briefing and Progress Overview [Dec 26, 13]
01_ICT Visit_ Project Briefing and Progress Overview [Dec 26, 13]01_ICT Visit_ Project Briefing and Progress Overview [Dec 26, 13]
01_ICT Visit_ Project Briefing and Progress Overview [Dec 26, 13]
Awais Shibli
 
Latest_Resume_Siddharth_Roshan
Latest_Resume_Siddharth_RoshanLatest_Resume_Siddharth_Roshan
Latest_Resume_Siddharth_Roshan
enbit1228
 
CV_Md Tarik Chowdhury
CV_Md Tarik ChowdhuryCV_Md Tarik Chowdhury
CV_Md Tarik Chowdhury
Md Mahmud-Ul-Tarik Chowdhury
 
Cv md tarik chowdhury
Cv md tarik chowdhuryCv md tarik chowdhury
Cv md tarik chowdhury
Md Mahmud-Ul-Tarik Chowdhury
 
Resume
ResumeResume
Resume
Bharathram Adithya Murali E.I.T.
 
Advance Power System Relaying Theory and Application
Advance Power System Relaying Theory and ApplicationAdvance Power System Relaying Theory and Application
Advance Power System Relaying Theory and Application
Masters In Training ISO9001- 2008 Certified
 

More Related Content

Viewers also liked

Abac and the evolution of access control
Abac and the evolution of access controlAbac and the evolution of access control
Abac and the evolution of access control
Akbar Azwir, MM, PMP, PMI-SP, PSM I, CISSP
 
2012 FEPA Presentation: Larry Hjalmarson
2012 FEPA Presentation: Larry Hjalmarson2012 FEPA Presentation: Larry Hjalmarson
2012 FEPA Presentation: Larry Hjalmarson
FloridaPipeTalk
 
NTXISSACSC3 - Managing Cyber Security Across the Enterprise by Asif Effendi
NTXISSACSC3 - Managing Cyber Security Across the Enterprise by Asif Effendi NTXISSACSC3 - Managing Cyber Security Across the Enterprise by Asif Effendi
NTXISSACSC3 - Managing Cyber Security Across the Enterprise by Asif Effendi
North Texas Chapter of the ISSA
 
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
NextLabs, Inc.
 
Semantic technologies for attribute based access: measurable security for the...
Semantic technologies for attribute based access: measurable security for the...Semantic technologies for attribute based access: measurable security for the...
Semantic technologies for attribute based access: measurable security for the...
Josef Noll
 
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerRole Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Prolifics
 
Enterprise & Web based Federated Identity Management & Data Access Controls
Enterprise & Web based Federated Identity Management & Data Access Controls Enterprise & Web based Federated Identity Management & Data Access Controls
Enterprise & Web based Federated Identity Management & Data Access Controls
Kingsley Uyi Idehen
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
idingolay
 
Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and Practice
Nabeel Yoosuf
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
Wajahat Rajab
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
Elimity
 

Viewers also liked (11)

Abac and the evolution of access control
Abac and the evolution of access controlAbac and the evolution of access control
Abac and the evolution of access control
 
2012 FEPA Presentation: Larry Hjalmarson
2012 FEPA Presentation: Larry Hjalmarson2012 FEPA Presentation: Larry Hjalmarson
2012 FEPA Presentation: Larry Hjalmarson
 
NTXISSACSC3 - Managing Cyber Security Across the Enterprise by Asif Effendi
NTXISSACSC3 - Managing Cyber Security Across the Enterprise by Asif Effendi NTXISSACSC3 - Managing Cyber Security Across the Enterprise by Asif Effendi
NTXISSACSC3 - Managing Cyber Security Across the Enterprise by Asif Effendi
 
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
Managing Role Explosion with Attribute-based Access Control - Webinar Series ...
 
Semantic technologies for attribute based access: measurable security for the...
Semantic technologies for attribute based access: measurable security for the...Semantic technologies for attribute based access: measurable security for the...
Semantic technologies for attribute based access: measurable security for the...
 
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy ModelerRole Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
Role Discovery and RBAC Design: A Case Study with IBM Role and Policy Modeler
 
Enterprise & Web based Federated Identity Management & Data Access Controls
Enterprise & Web based Federated Identity Management & Data Access Controls Enterprise & Web based Federated Identity Management & Data Access Controls
Enterprise & Web based Federated Identity Management & Data Access Controls
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
 
Access Control: Principles and Practice
Access Control: Principles and PracticeAccess Control: Principles and Practice
Access Control: Principles and Practice
 
Access Control Presentation
Access Control PresentationAccess Control Presentation
Access Control Presentation
 
An overview of access control
An overview of access controlAn overview of access control
An overview of access control
 

Similar to Generalized attribute centric access control

HEC Project Proposal_v1.0
HEC Project Proposal_v1.0HEC Project Proposal_v1.0
HEC Project Proposal_v1.0
Awais Shibli
 
Resume
ResumeResume
Resume
Siva Gonuguntla
 
Resume
ResumeResume
Resume
Siva Gonuguntla
 
Eng. nabeel rashid personnel resume
Eng. nabeel rashid personnel resumeEng. nabeel rashid personnel resume
Eng. nabeel rashid personnel resume
Nabeel Rashid
 
Hafizullah_CV
Hafizullah_CVHafizullah_CV
Hafizullah_CV
Hafeez Ullah
 
01_ICT Visit_ Project Briefing and Progress Overview [Dec 26, 13]
01_ICT Visit_ Project Briefing and Progress Overview [Dec 26, 13]01_ICT Visit_ Project Briefing and Progress Overview [Dec 26, 13]
01_ICT Visit_ Project Briefing and Progress Overview [Dec 26, 13]
Awais Shibli
 
Latest_Resume_Siddharth_Roshan
Latest_Resume_Siddharth_RoshanLatest_Resume_Siddharth_Roshan
Latest_Resume_Siddharth_Roshan
enbit1228
 
CV_Md Tarik Chowdhury
CV_Md Tarik ChowdhuryCV_Md Tarik Chowdhury
CV_Md Tarik Chowdhury
Md Mahmud-Ul-Tarik Chowdhury
 
Cv md tarik chowdhury
Cv md tarik chowdhuryCv md tarik chowdhury
Cv md tarik chowdhury
Md Mahmud-Ul-Tarik Chowdhury
 
Resume
ResumeResume
Resume
Bharathram Adithya Murali E.I.T.
 
Advance Power System Relaying Theory and Application
Advance Power System Relaying Theory and ApplicationAdvance Power System Relaying Theory and Application
Advance Power System Relaying Theory and Application
Masters In Training ISO9001- 2008 Certified
 
CV_SR_IND1
CV_SR_IND1CV_SR_IND1
CV_SR_IND1
Swakshar Ray
 
DebanjanSannigrahi_Resume-UPDATED_2016
DebanjanSannigrahi_Resume-UPDATED_2016DebanjanSannigrahi_Resume-UPDATED_2016
DebanjanSannigrahi_Resume-UPDATED_2016
Debanjan Sannigrahi
 
Resume
ResumeResume
Resume
Sorab Mattoo
 
Bio Vtk
Bio VtkBio Vtk
Bio Vtk
vtkonda
 
IEEE ICC 2012 - Dependability Assessment of Virtualized Networks
IEEE ICC 2012 - Dependability Assessment of Virtualized Networks IEEE ICC 2012 - Dependability Assessment of Virtualized Networks
IEEE ICC 2012 - Dependability Assessment of Virtualized Networks
Stenio Fernandes
 
nains@resume
nains@resumenains@resume
nains@resume
Nains Jain
 
Subramanian Resume
Subramanian ResumeSubramanian Resume
Subramanian Resume
tilak777
 
Project title
Project titleProject title
Project title
ashish verma
 
TestbedLikun_final
TestbedLikun_finalTestbedLikun_final
TestbedLikun_final
Likun Lin
 

Similar to Generalized attribute centric access control (20)

HEC Project Proposal_v1.0
HEC Project Proposal_v1.0HEC Project Proposal_v1.0
HEC Project Proposal_v1.0
 
Resume
ResumeResume
Resume
 
Resume
ResumeResume
Resume
 
Eng. nabeel rashid personnel resume
Eng. nabeel rashid personnel resumeEng. nabeel rashid personnel resume
Eng. nabeel rashid personnel resume
 
Hafizullah_CV
Hafizullah_CVHafizullah_CV
Hafizullah_CV
 
01_ICT Visit_ Project Briefing and Progress Overview [Dec 26, 13]
01_ICT Visit_ Project Briefing and Progress Overview [Dec 26, 13]01_ICT Visit_ Project Briefing and Progress Overview [Dec 26, 13]
01_ICT Visit_ Project Briefing and Progress Overview [Dec 26, 13]
 
Latest_Resume_Siddharth_Roshan
Latest_Resume_Siddharth_RoshanLatest_Resume_Siddharth_Roshan
Latest_Resume_Siddharth_Roshan
 
CV_Md Tarik Chowdhury
CV_Md Tarik ChowdhuryCV_Md Tarik Chowdhury
CV_Md Tarik Chowdhury
 
Cv md tarik chowdhury
Cv md tarik chowdhuryCv md tarik chowdhury
Cv md tarik chowdhury
 
Resume
ResumeResume
Resume
 
Advance Power System Relaying Theory and Application
Advance Power System Relaying Theory and ApplicationAdvance Power System Relaying Theory and Application
Advance Power System Relaying Theory and Application
 
CV_SR_IND1
CV_SR_IND1CV_SR_IND1
CV_SR_IND1
 
DebanjanSannigrahi_Resume-UPDATED_2016
DebanjanSannigrahi_Resume-UPDATED_2016DebanjanSannigrahi_Resume-UPDATED_2016
DebanjanSannigrahi_Resume-UPDATED_2016
 
Resume
ResumeResume
Resume
 
Bio Vtk
Bio VtkBio Vtk
Bio Vtk
 
IEEE ICC 2012 - Dependability Assessment of Virtualized Networks
IEEE ICC 2012 - Dependability Assessment of Virtualized Networks IEEE ICC 2012 - Dependability Assessment of Virtualized Networks
IEEE ICC 2012 - Dependability Assessment of Virtualized Networks
 
nains@resume
nains@resumenains@resume
nains@resume
 
Subramanian Resume
Subramanian ResumeSubramanian Resume
Subramanian Resume
 
Project title
Project titleProject title
Project title
 
TestbedLikun_final
TestbedLikun_finalTestbedLikun_final
TestbedLikun_final
 

Recently uploaded

Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
saastr
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
Dinusha Kumarasiri
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
Chart Kalyan
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Wask
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Tatiana Kojar
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
fredae14
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
Hiike
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
LucaBarbaro3
 
Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!
GDSC PJATK
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 

Recently uploaded (20)

Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
Overcoming the PLG Trap: Lessons from Canva's Head of Sales & Head of EMEA Da...
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
Azure API Management to expose backend services securely
Azure API Management to expose backend services securelyAzure API Management to expose backend services securely
Azure API Management to expose backend services securely
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdfHow to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
How to Interpret Trends in the Kalyan Rajdhani Mix Chart.pdf
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 
Digital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying AheadDigital Marketing Trends in 2024 | Guide for Staying Ahead
Digital Marketing Trends in 2024 | Guide for Staying Ahead
 
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
Skybuffer AI: Advanced Conversational and Generative AI Solution on SAP Busin...
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - HiikeSystem Design Case Study: Building a Scalable E-Commerce Platform - Hiike
System Design Case Study: Building a Scalable E-Commerce Platform - Hiike
 
Trusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process MiningTrusted Execution Environment for Decentralized Process Mining
Trusted Execution Environment for Decentralized Process Mining
 
Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!Finale of the Year: Apply for Next One!
Finale of the Year: Apply for Next One!
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 

Generalized attribute centric access control

  • 1. Generalized Attribute Centric Access Control Arjumand Fatima, December 12, 2014 Thesis Proposal Defense
  • 2. 02/04/15 Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 2 Supervisor: Dr. Abdul Ghafoor GEC: Dr. M. Awais Shibli Mr. Faisal Khan Ms. Hirra Anwar Arjumand Fatima Thesis Proposal Defense SEECS-NUST Islamabad Generalized Attribute Centric Access Control
  • 3. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad  Problem Statement  Introduction  Literature Review  Proposed Solution  Abstract Architecture  Impact  Applications  References 3 Agenda
  • 4. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad  Achieving completely mediated access control using existing models is a challenge in dynamic environments, where ensuring privacy and anonymity is essential, and fine-grained, flexible and multi-factor authorization is required. 4 Problem Statement
  • 5. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad  Controlling access to sensitive resources  Access is controlled based on different factors such as identity, role and attributes 5 Introduction
  • 6. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Evolution of Access Control  Role-Based Access Control (RBAC)  Limitations of Traditional Access Control Models  Addressing the Limitations of Traditional Access Control Models • Extended Role Based Access Control Models • Attribute Based Access Control (ABAC) Model  Extended RBAC Models and their limitations  Attribute Based Access Control (ABAC) Model  The Conventional Debate: RBAC vs ABAC 6 Literature Review
  • 7. 1996 20011992 2007 2009 - 2014 Pre RBAC Early RBAC Standard RBAC Pre ABAC Extended RBAC Early ABAC RBAC vs ABAC Role Centric A t t r i b u t e C e n t r i C MAC DAC volution of Access Control
  • 8. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 8 Role Based Access Control OPS OBS PRMS ROLESUSERS SSD DSDSESSIONS (UA) User Assignment (PA) Permission Assignment (RH) Role Hierarchy Session rolesUser Session OBS = Objects OPS = Operations PRMS = Permissions SSD= Separation of Duty DSD = Dynamic Separation of Duty
  • 9. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Limitations of RBAC  Role Engineering  Role Activation  Role Engineering
  • 10. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Limitations of RBAC  Role Engineering  Role Activation  Role Engineering
  • 11. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 11 Challenges in Traditional Access Control Access Control Models User Centric Rigid Static One Time Identity Based Coarse Grained Context Insensitive Single Factor
  • 12. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Context Sensitivity
  • 13. 02/04/15 13 Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Context Sensitive Access Control Context Based Access Control Context Aware Access Control  Inherently context sensitive  Attribute Based Access Control (ABAC) Model  Extensions built on top of a context insensitive model  Extended Role Based Access Control (RBAC) Models
  • 14. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Extended RBAC Models Team Based Environmental Roles Time Based Location Based
  • 15. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Limitations of Extended RBAC Models Role Centric Too Complex Too Specific
  • 16. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 16 Challenges in Traditional Access Control Access Control Models Rigid One Time Identity Based Coarse Grained Single Factor
  • 17. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Attribute Based Access Control (ABAC) Subject Attributes Resource Attributes Environment Attributes Controls access based on the attributes of Subject, Resource as well as Environment. This provides a greater flexibility for making access control decisions as compared to traditional methods which were mostly subject-centric and did not consider resource or environment as the primary factor.
  • 18. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad The Conventional Debate RBAC Model ABAC Model
  • 19. 02/04/15 19 Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad The Conventional Debate ABAC RBAC • Newer • Simpler to implement • Attribute-Centric • Dynamically changing environments • Attribute Engineering • Difficult to audit permissions • Outdated • Expensive to implement • Role-Centric • Static environments • Role Engineering • Simplified auditing of resources
  • 20. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Adding Attributes To Role Based Access Control Option User ID Role Attribute Model 0 0 0 0 Undefined 1 0 0 1 ABAC-basic 2 0 1 0 Undefined 3 0 1 1 ABAC-RBAC hybrid 4 1 0 0 ACL 5 1 0 1 ABAC-ID 6 1 1 0 RBAC-basic 7 1 1 1 RBAC-A dynamic roles 8 1 1 1 RBAC-A role centric 9 1 1 1 RBAC-A attribute centric • Assigning permissions to roles • Adding further constraints based on attributes • Still role centric
  • 21. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad  Need Analysis  Existing Work on Attribute Centric Solution  Common Misconceptions  Our Contribution  Core Components  Access Control Mechanism  Family of Access Control Models  Potential Impact  Validity of Proposed Solution 21 Proposed Solution
  • 22. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Attribute Centric Access Control (AC)2 Role-Less Environments Anonymous Users Flexible On-Going Control Fine GrainedMulti-Factor
  • 23. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Existing Work on Attribute Centric Solutions Attribute Based Access Control (ABAC) Model Already exists but still in nascent state
  • 24. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Existing Work on Attribute Centric Solutions Lack of Standard Before 2014 Details Still Missing
  • 25. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Common Misconceptions ABAC Myth RBAC Attribute Role Reality
  • 26. 02/04/15 26 Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Common Misconceptions Myth Reality • Auditing permissions is easy in RBAC • Reviewing permissions is difficult in ABAC • User-Role review is easy • Permission-Role review is challenging • We need to divide permission auditing into smaller tasks for ABAC as well • ABAC Model offers fine-grained access control • ABAC Model offers multi-factor access control
  • 27. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad  Achieving completely mediated access control using existing models is a challenge in dynamic environments, where ensuring privacy and anonymity is essential, and fine-grained, flexible and multi-factor authorization is required. 27 Problem Statement
  • 28. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad  Generalized Attribute Centric Access Control  Subject  Object  Environment  Operation  Rules  Permissions 28 Our Contribution Inherently context sensitive attributes <Action, User, Object, Environment> Ɛ Rule <Rule(s)> Ɛ Permission Where Rule= {Allow, Do not Allow}
  • 29. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 29 Our Contribution User Resource Access Request PDP Policy Repository Find applicable policy PAP Store policies PIP Retrieve attributes Environment attribute authority Resource attribute authoritySubject attribute authority Access Response Allow or deny access PEP Access Request
  • 30. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Our Contribution Context Attribute Authority Context Provider Sensors Context Provider Context Provider Sensors Sensors
  • 31. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 31 Our Contribution Attribute Centric Access Control Constrained (AC)2 Fine Grained(AC)2 Core (AC)2 Towards A Family of Access Control Models
  • 32. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 32 Potential Impact Interoperability Across Access Control Solutions Compliance and Assurance
  • 33. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 33 Validity NIST ABAC Workshop, July 2013 Guide to Attribute Based Access Control (ABAC) Definition and Considerations, January 2014 SACMAT 2015 Call for PapersTreating ABAC as a single model would be a mistake. Towards an ABAC Family of Models
  • 34. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 34 Potential Applications Small Teams with Overlapping Responsibilities (SMEs / SMBs)
  • 35. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 35 Potential Applications Bring Your Own Device (BYOD) Security Authorization Challenges
  • 36. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 36 Potential Applications Smart Classrooms (BYOD)
  • 37. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 37 Potential Applications Restrictive Use of Corporate Devices For Personal Use
  • 38. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 38 Timeline Literature Review TH-1 Form Submission Problem Identification Proposal Defense TH-2 Form Submission (15. 12. 2014) Implementation (31. 3. 2015) Testing and Evaluation (30. 4.2015) Research Paper Writing(10.5.2015) In-house Defense (15.5.2015) Final Defense (15.6.2015)
  • 39. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 1. Park, Jaehong, and Ravi Sandhu. "Towards usage control models: beyond traditional access control." Proceedings of the seventh ACM symposium on Access control models and technologies. ACM, 2002. 2. Sandhu, Ravi S., and Pierangela Samarati. "Access control: principle and practice." Communications Magazine, IEEE 32.9 (1994): 40- 48. 3. Hwang, JeeHyun, Vincent Hu, and Tao Xie. "Paradigm in Verification of Access Control." Software Security and Reliability Companion (SERE-C), 2012 IEEE Sixth International Conference on. IEEE, 2012. 4. Hu, Vincent C., et al. "Guide to attribute based access control (ABAC) definition and considerations (draft)." NIST Special Publication 800 (2013): 162. 5. Sandhu, Ravi S. "Lattice-based access control models." Computer 26.11 (1993): 9-19. 6. Fuchs, Ludwig, Günther Pernul, and Ravi Sandhu. "Roles in information security–a survey and classification of the research area." computers & security 30.8 (2011): 748-769. 3. Jin, Xin, Ram Krishnan, and Ravi Sandhu. "A unified attribute-based access control model covering DAC, MAC and RBAC." Data and applications security and privacy XXVI. Springer Berlin Heidelberg, 2012. 41-55. 4. Giuri, Luigi, and Pietro Iglio. "Role templates for content-based access control." Proceedings of the second ACM workshop on Role- based access control. ACM, 1997. 5. Al-Kahtani, Mohammad A., and Ravi Sandhu. "Induced role hierarchies with attribute-based RBAC." Proceedings of the eighth ACM symposium on Access control models and technologies. ACM, 2003. 6. Ferraiolo, David F., et al. "Proposed NIST standard for role-based access control." ACM Transactions on Information and System Security (TISSEC) 4.3 (2001): 224-274. 39 References
  • 40. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 11. INCITS, ANSI. "INCITS 359-2004. Role-Based Access Control." American Nat’l Standard for Information Technology (2004). 12. Sandhu, Ravi, David Ferraiolo, and Richard Kuhn. "The NIST model for role-based access control: towards a unified standard." ACM workshop on Role-based access control. Vol. 2000. 2000. 12. Fuchs, Ludwig, and Günther Pernul. "HyDRo–Hybrid Development of Roles." Information Systems Security. Springer Berlin Heidelberg, 2008. 287-302. 13. Wang, Lingyu, Duminda Wijesekera, and Sushil Jajodia. "A logic-based framework for attribute based access control." Proceedings of the 2004 ACM workshop on Formal methods in security engineering. ACM, 2004. 14. Lang, Bo, et al. "A flexible attribute based access control method for grid computing." Journal of Grid Computing 7.2 (2009): 169-180. 15. Covington, Michael J., et al. "Securing context-aware applications using environment roles." Proceedings of the sixth ACM symposium on Access control models and technologies. ACM, 2001. 16. Hansen, Frode, and Vladimir Oleshchuk. "SRBAC: A spatial role-based access control model for mobile systems." Proceedings of the 7th Nordic Workshop on Secure IT Systems (NORDSEC’03). 2003. 17. Yuan, Eric, and Jin Tong. "Attributed based access control (ABAC) for web services." Web Services, 2005. ICWS 2005. Proceedings. 2005 IEEE International Conference on. IEEE, 2005. 18. Wang, Qihua, et al. "On the correctness criteria of fine-grained access control in relational databases." Proceedings of the 33rd international conference on Very large data bases. VLDB Endowment, 2007. 19. Fischer, Jeffrey, et al. "Fine-grained access control with object-sensitive roles." ECOOP 2009–Object-Oriented Programming. Springer Berlin Heidelberg, 2009. 173-194. 40 References
  • 41. Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad 20. Fischer, Jeffrey, et al. "Fine-grained access control with object-sensitive roles." ECOOP 2009–Object-Oriented Programming. Springer Berlin Heidelberg, 2009. 173-194. 21. Tolone, William, et al. "Access control in collaborative systems." ACM Computing Surveys (CSUR) 37.1 (2005): 29-41. 22. Goyal, Vipul, et al. "Attribute-based encryption for fine-grained access control of encrypted data." Proceedings of the 13th ACM conference on Computer and communications security. ACM, 2006. 23. Al-Muhtadi, Jalal, et al. "Cerberus: a context-aware security scheme for smart spaces." Pervasive Computing and Communications, 2003.(PerCom 2003). Proceedings of the First IEEE International Conference on. IEEE, 2003. 24. Hulsebosch, R. J., et al. "Context sensitive access control." Proceedings of the tenth ACM symposium on Access control models and technologies. ACM, 2005. 25. http://www.oxforddictionaries.com/definition/english/context?searchDictCode=all 26. di Vimercati, S. De Capitani, Sara Foresti, and Pierangela Samarati. "Recent advances in access control." Handbook of Database Security. Springer US, 2008. 1-26. 27. di Vimercati, Sabrina De Capitani, Pierangela Samarati, and Sushil Jajodia. "Policies, models, and languages for access control." Databases in Networked Information Systems. Springer Berlin Heidelberg, 2005. 225-237. 28. Park, Jaehong, and Ravi Sandhu. "The UCON ABC usage control model." ACM Transactions on Information and System Security (TISSEC) 7.1 (2004): 128-174. 29. Coyne, Ed, and Timothy R. Weil. "ABAC and RBAC: Scalable, Flexible, and Auditable Access Management." IT Professional 15.3 (2013): 0014-16. 41 References
  • 42. 02/04/15 42 Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Questions ?
  • 43. 02/04/15 43 Department of Computing, School of Electrical Engineering and Computer Sciences, NUST - Islamabad Thank You

Editor's Notes

  1. Cloud computing is Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like the electricity grid.
  2. Cloud computing is Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like the electricity grid.
  3. Cloud computing is Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like the electricity grid.
  4. Cloud computing is Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like the electricity grid.
  5. Cloud computing is Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like the electricity grid.
  6. Cloud computing is Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like the electricity grid.
  7. Cloud computing is Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like the electricity grid.
  8. Cloud computing is Internet-based computing, whereby shared resources, software and information are provided to computers and other devices on-demand, like the electricity grid.