Swinburne Marketing Strategy
advertisement
COS 80011 Web Application Architectures Lecture 10 Access Control Outline What is Access Control? Access Control Matrix and Access Control List Role-Based Access Control User-Role Assignment Role-Permission Assignment Attribute-Based Access Control Context-Aware Access Control Context-Aware User-Role Assignment Context-Aware Role-Permission Assignment 2 © Swinburne University of Technology Outline What is Access Control? Access Control Matrix and Access Control List Role-Based Access Control User-Role Assignment Role-Permission Assignment Attribute-Based Access Control Context-Aware Access Control Context-Aware User-Role Assignment Context-Aware Role-Permission Assignment 3 © Swinburne University of Technology Access Control (I) Access control is one of the fundamental security mechanisms needed to protect computer resources (and/or services) against unauthorized access according to a security policy policy – is a rule (who can access what) verifying whether a subject (user) is allowed to carry out a specific action (operation) on an object (resource) it is a mechanism to determine whether a request from a user to access resources in a system should be permitted or denied 4 © Swinburne University of Technology Access Control (II) It has three major components subjects – represent the users in a system performing actions on an object objects – represent the resources that are being protected by the system operations – represent all the actions that the subjects can perform on the objects 5 © Swinburne University of Technology Access Control (III) Access Control Models/Technologies - Access Control Matrix or Access Matrix (AM) - Access Control List (ACL) - Role-Based Access Control (RBAC) - Attribute-Based Access Control (ABAC) - Context-Aware Access Control (CAAC) - Extended RBAC Models: TMAC (team), OrBAC (organization), … - ABAC Models: XACML, … - … 6 © Swinburne University of Technology Access Control (IV) Traditional forms of Access Control AM, ACL, RBAC, … file systems, operating systems, database systems, … Access Control on the Web XACML (OASIS standard Web-based AC), XACML for RBAC, … Domain-specific inputs converted to the XACML Request Context.xml (PEP) XACML core policy framework or XACML RBAC implementation using (J2SE, CORBA, etc.), resources are exposed as Web services (PDP, PIP, PAP) XACML Response Context.xml is converted to the domain-specific 7 outputs (PEP) © Swinburne University of Technology Outline What is Access Control? Access Control Matrix and Access Control List Role-Based Access Control User-Role Assignment Role-Permission Assignment Attribute-Based Access Control Context-Aware Access Control Context-Aware User-Role Assignment Context-Aware Role-Permission Assignment 8 © Swinburne University of Technology Access Control Matrix (I) Access Control Matrix or Access Matrix (AM) access control technology has a long history that started in the late 60s it was first introduced by Lampson in 1971, who introduced a formal, mathematical description of a basic access control model named Access Control Matrix <Lampson, Butler W. (1971), Protection, Proceedings of the 5th Princeton Conference on Information Sciences and Systems> 9 © Swinburne University of Technology Access Control Matrix (II) Access Control Matrix or Access Matrix (AM) the first basic model of access control is the AM a formal security model in computer systems characterizes the rights of the subjects with respect to the objects describes the relationships between subjects and objects in a system <Lampson, Butler W. (1971), Protection, Proceedings of the 5th Princeton Conference on Information Sciences and Systems> 10 © Swinburne University of Technology Access Control Matrix (III) Access Control Matrix: It has three components a set of Objects O, a set of Subjects S, and an Access function A an Object is an entity in the system which has to be protected a Subject is an entity that has access to the Object which Subjects can access which Objects is determined by the Access function 11 © Swinburne University of Technology Access Control Matrix (IV) Access Control Matrix the rows of the Access function are labelled with the Subject names and its columns by the Object names. element Ai,j specifies the access which Subject i has to Object j each element or cell of the matrix consists of a set of strings called access attributes, such as read and write, which are typical access attributes 12 © Swinburne University of Technology Access Control Matrix (V) AM Implementations operating systems database systems 13 © Swinburne University of Technology Access Control Matrix (VI) AM Implementations a rectangular array of cells, with one row per subject and one column per object Table: A rectangular array user1 user2 user3 14 file1 file2 read, write read, write, execute read execute write read © Swinburne University of Technology Access Control List (I) Access control list (ACL) - each column in an Access Control Matrix (AM) is translated to an Access Control List (ACL) - the ACL contains entries for each subject defining the operations that the subject can execute on the given object 15 © Swinburne University of Technology Access Control List (II) Access control list (ACL): it specifies - which users or system processes are granted access to objects - what operations are allowed on given objects <Access Control List: Google patents, http://www.google.com/patents/US20130145028> 16 © Swinburne University of Technology Access Control List (III) ACL Implementations File System ACL: A file system ACL is a data structure (table) containing entries that specify individual user or group rights to specific system resources. resources - programs, files, etc. entries – access control entries (ACEs). 17 © Swinburne University of Technology Access Control List (IV) ACL Implementations File System ACL - used to administrate file permissions for example, a file has an ACL that contains (Bob, delete) this gives Bob permission to delete the file. <MS Windows, Unix/Linux Operating Systems> 18 © Swinburne University of Technology Access Control List (V) ACL Implementations File System ACL – access ACL and default ACL (Red Hat Linux) an access ACL is the access control list for a specific file or directory. a default ACL can only be associated with a directory; if a file within the directory does not have an access ACL. default ACL uses the rules of the default ACL for the directory. ACLs can be configured per user or per group. 19 <https://access.redhat.com/site/documentation/enUS/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/chacls.html> © Swinburne University of Technology Access Control List (VI) ACL Implementations File System ACL – access ACL and default ACL (Red Hat Linux) the setfacl utility sets ACLs for files and directories. # setfacl -m rules files use the -m option to add/modify the ACL of a file/directory rule formats u:uid:perms, g:gid:perms # setfacl -m u:bob:rw /cos80011/waa <https://access.redhat.com/site/documentation/enUS/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/chacls.html> 20 © Swinburne University of Technology Access Control List (VII) ACL Implementations SQL-based systems relational database systems networking ACLs 21 © Swinburne University of Technology AM and ACL (VIII) Advantages easy to implement, simplicity and flexibility are the keys effective in closed and relatively unchangeable systems Disadvantages do not allow modelling the global policy rules by which permissions can change in any particular system they do not have adequate functionalities to maintain the users and objects in the large-scale systems, where more than one user need same object 22 © Swinburne University of Technology Outline What is Access Control? Access Control Matrix and Access Control List Role-Based Access Control User-Role Assignment Role-Permission Assignment Attribute-Based Access Control Context-Aware Access Control Context-Aware User-Role Assignment Context-Aware Role-Permission Assignment 23 © Swinburne University of Technology Role-Based Access Control (I) Role-Based Access Control (RBAC) - a well accepted access control model based on the role of the user is Role-based Access Control (RBAC) was introduced to tackle the problems: global policy rules, large-scale systems - first RBAC, Ferraiolo et al (RBAC92) - the RBAC92 model has been subsequently extended by Sandhu et al (RBAC96) <Sandhu et al (RBAC96): http://dl.acm.org/citation.cfm?id=226710> <Ferraiolo et al (RBAC92): http://csrc.nist.gov/rbac/ferraiolo-kuhn-92.pdf> 24 © Swinburne University of Technology Role-Based Access Control (II) Role-Based Access Control (RBAC) - in RBAC, it is not important to identify the individual who makes the access request, but to know his position in the structure of an organization - this concept is known as a role in RBAC - the authorizations are not assigned directly to a particular user, but to the user’s role 25 © Swinburne University of Technology Role-Based Access Control (III) Role-Based Access Control (RBAC) - user group and user role – roles are closely related to the concept of user groups in access control - however, a role brings together a set of users on one side and a set of permissions on the other - whereas user groups are typically defined as a set of users only 26 © Swinburne University of Technology Role-Based Access Control (IV) Role-Based Access Control (RBAC): three main concepts - RBAC ensures that only an authorized user is given access to a certain resource, and is based on a user’s role in an organization - users, roles, and permissions in a simple/basic RBAC model - users – subjects are typically represented by users, who are assigned to roles and are granted membership into the roles based on their credentials and responsibilities in an organization - roles – roles represent a job function, describing the authority and responsibility conferred on a user assigned to that role, within an organization - permissions – permissions are assigned to roles, permissions 27 contain resources and operations (the operations are allowed on the objects/resources) © Swinburne University of Technology Role-Based Access Control (V) Role-Based Access Control (RBAC) Model U User User Assignment UA R Role Permission Assignment PA P Permission Figure: Basic RBAC Model 28 © Swinburne University of Technology Role-Based Access Control (VI) Role-Based Access Control (RBAC) Model - U, R and P are the users, roles and permissions respectively - UA is a many-to-many user to role assignment relation U𝑨 ⊆ 𝑼 × 𝑹 - PA is a many-to-many permission to role assignment relation P𝑨 ⊆ 𝑷 × 𝑹 29 © Swinburne University of Technology Role-Based Access Control (VII) Role-Based Access Control (RBAC): ESP Submissions (Assignments) - user-role and role-permission assignments (policies) Table: Relationships among users, roles and permissions 30 User Role Permission <s7021046, ******> Student <Assignment2, submit> <akayes, ******> Tutor/Marker <Assignment2, marking> <acolman, ******> Lecturer/Convenor <Assignment2, marks release> © Swinburne University of Technology Role-Based Access Control (VIII) Role-Based Access Control (RBAC): Role Hierarchy - also called role inheritance - for structuring roles to reflect an organization’s lines of authority and responsibility - the senior roles can inherit all permissions from the junior roles - the senior roles can have permissions in addition to those inherited from the junior roles 31 © Swinburne University of Technology Role-Based Access Control (IX) Role-Based Access Control (RBAC): Role Hierarchy Example - The lecturer role (senior role) can inherits all permissions from the staff role (junior role) - The lecturer role can have own permissions also University User Student UGS Staff PGS Tutor Lecturer Figure: Role Hierarchy 32 © Swinburne University of Technology Role-Based Access Control (X) Role-Based Access Control (RBAC): Other RBAC Concepts - RBAC Session (users can create and terminate sessions, to activate/deactivate roles) - RBAC Constraints (predicates that can apply to the UA and PA relations) <Sandhu et al (RBAC96): http://dl.acm.org/citation.cfm?id=226710> 33 © Swinburne University of Technology Role-Based Access Control (XI) Role-Based Access Control (RBAC): Patient Medical Records Management - user-role assignments User userID Role Jane Jane00X Registered Nurse RN00X Mary Mary00X PP00X Bob Bob00X Primary-care Physician Emergency Doctor ED00X Specialist Physician SP00X Physician P00X User-Role Assignments (UA) <Jane00X, PP00X> <Jane00X, ED00X> <Mary00X, PP00X> roleID <Bob00X, RN00X> 34 <Jane00X, SP00X> © Swinburne University of Technology Role-Based Access Control (XII) Role-Based Access Control (RBAC): Patient Medical Records Management - role-permission assignments Role -Permission Assignments (PA) Permission <resource, operation> <ED00X, <EHR, write>> <Electronic Health Records (EHR), write> <RN00X, <DMR, read>> <daily medical records (DMR), read> <P00X, <DMR, write>> <Past Medical History (PMH), write> <P00X, <PMH, write>> <SP00X, <EHR, read>> 35 © Swinburne University of Technology Role-Based Access Control (XIII) Role-Based Access Control (RBAC): Patient Medical Records Management - The specialist physician role (senior role) can inherits all permissions from the physician role (junior role) Healthcare User Nurse Registered Nurse 36 Physician Nurse Manager Emergency Doctor Figure: An Excerpt of Healthcare Role Hierarchy Specialist Physician Primary-care Physician © Swinburne University of Technology Role-Based Access Control (XIV) Role-Based Access Control (RBAC): Patient Medical Records Management UA PA Role roleID <Jane00X, PP00X> Registered Nurse RN00X Primary-care Physician PP00X Emergency Doctor ED00X Specialist Physician SP00X Physician P00X <ED00X, <EHR, write>> <RN00X, <DMR, read>> <Jane00X, ED00X> <P00X, <DMR, write>> <Mary00X, PP00X> <P00X, <PMH, write>> <Bob00X, RN00X> <SP00X, <EHR, read>> <Jane00X, SP00X> Physician Emergency Doctor 37 Primary-care Physician Specialist Physician © Swinburne University of Technology Role-Based Access Control (XV) Role-Based Access Control (RBAC): main part Organization Resource Role Operation 38 © Swinburne University of Technology Role-Based Access Control (XVI) Advantages simplifies management of permissions effective/useful model in large-scale systems/domains Disadvantages the user-role and role-permission assignments are static without taking into account the dynamic attributes, such as the location of users this makes a less effective solution in today’s open and dynamic environments 39 © Swinburne University of Technology Outline What is Access Control? Access Control Matrix and Access Control List Role-Based Access Control User-Role Assignment Role-Permission Assignment Attribute-Based Access Control Context-Aware Access Control Context-Aware User-Role Assignment Context-Aware Role-Permission Assignment 40 © Swinburne University of Technology Attribute-Based Access Control (I) Attribute-Based Access Control (ABAC) - a new access control paradigm where access rights are granted to users through the use of policies which combine attributes together - the policies can use any type of attributes (user attributes, resource attribute, etc.) - it is a rule-based approach to access control, it does not use the concept of a role - the building blocks in the ABAC model are the attributes - an ABAC policy specifies which constraints need to be satisfied based on the attributes (e.g., user age is greater than 20) in order to grant access to an object 41 © Swinburne University of Technology Attribute-Based Access Control (II) Attribute-Based Access Control (ABAC) - the formal definition of basic ABAC is composed of four parts: access control related entities, attributes of entities, policy representation, and policy evaluation - entities – requestor (Req), resource (Res), action (Act), environment (Env) - attributes of entities (e.g., attributes of environment (Attr(Env)) – the current date or time) - policy specification – the definition of access control policies - policy evaluation – the process of making an access decision based on the security policy <ABAC, http://www.mcs.anl.gov/uploads/cels/papers/P1367.pdf> 42 © Swinburne University of Technology Attribute-Based Access Control (III) Attribute-Based Access Control (ABAC): policy evaluation - an access control decision is made by the evaluation function (𝑃𝑖_𝑎𝑑𝑓() ), access control decision function, ADF - it takes the attributes of the requestor, the resource, the action, the environment as parameters 𝑷𝒊_𝒂𝒅𝒇() 𝐴𝑡𝑡𝑟 𝑅𝑒𝑞 , 𝐴𝑡𝑡𝑟 𝑅𝑒𝑠 , 𝐴𝑡𝑡𝑟 𝐴𝑐𝑡 , 𝐴𝑡𝑡𝑟 𝐸𝑛𝑣 = 𝒑𝒆𝒓𝒎𝒊𝒕 𝑜𝑟 𝒅𝒆𝒏𝒚 43 © Swinburne University of Technology Attribute-Based Access Control (IV) eXtensible Access Control Markup Language (XACML) - is the standard that implements attribute-based access control - a standard XML-based protocol for access control policies - suitable for a variety of application environments (e.g., Web-based) - uses the attributes of subject, resource, action, and environment - this framework contains PEP, PDP, PIP, and PAP <OASIS XACML 3.0 (2013), http://docs.oasis-open.org/xacml/3.0/xacml-3.0core-spec-os-en.pdf> 44 © Swinburne University of Technology Attribute-Based Access Control (V) eXtensible Access Control Markup Language (XACML): four main components - Policy Enforcement Point (PEP) - Policy Decision Point (PDP) - Policy Administration Point (PAP) - Policy Information Point (PIP) <OASIS XACML 3.0 (2013), http://docs.oasis-open.org/xacml/3.0/xacml-3.0core-spec-os-en.pdf> 45 © Swinburne University of Technology Attribute-Based Access Control (VI) XACML Data Authorization Framework 46 Figure: XACML Data Flow Diagram <OASIS XACML 3.0 (2013), http://docs.oasisopen.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf> © Swinburne University of Technology Attribute-Based Access Control (VII) XACML Data Authorization Framework: when access request comes from the access requesters (users) - the PEP intercepts the access requests from users and sends the requests to the PDP (through the context handler) - the PDP makes access decisions according to the security policy (policy set) written by the PAP - the PDP uses the attributes of the subjects, the resources, and the environment obtained by querying the PIP (via the context handler) - the access decision given by the PDP is sent to the PEP(through the context handler) - the PEP sends either permitted or denied request to the users according to the decision of PDP 47 © Swinburne University of Technology Attribute-Based Access Control (VIII) XACML Implementation Domain-specific Inputs (from the requesters) converted to XACML Request Context (.xml) XACML Policy (.xml) XACML Response Context (.xml) converted to Domain-specific Outputs (back to the requesters) 48 © Swinburne University of Technology Attribute-Based Access Control (IX) Language Model of XACML Figure: XACML Context and Policy 49 <OASIS XACML 3.0 (2013), http://docs.oasis-open.org/xacml/3.0/xacml-3.0-core-spec-os-en.pdf> © Swinburne University of Technology Attribute-Based Access Control (X) Advantages easy to implement/setup very useful model in small-scale systems/domains Disadvantages when the number of users is high, the number of authorizations can become extremely large, which complicates the administration tasks this brings high complexity of security administration and significant cost of management of growing large-scale systems it does not provide adequate functionalities for dynamic access permissions 50 © Swinburne University of Technology Outline What is Access Control? Access Control Matrix and Access Control List Role-Based Access Control User-Role Assignment Role-Permission Assignment Attribute-Based Access Control Context-Aware Access Control Context-Aware User-Role Assignment Context-Aware Role-Permission Assignment 51 © Swinburne University of Technology Context-Aware Access Control (I) Static Access Permissions AM ACL RBAC ABAC XACML Dynamic access permissions (to dynamically make access control decisions) The dynamic user-role and role-permission assignments Access to medical records of patients should be dynamically controlled depending on the location and request time of users. Normally, a nurse that is not located in the hospital should not have access to medical records of patients. Moreover, this access is allowed only during her ward duty time, and knowing the relationship between © Swinburne University of Technology 52 patient and nurse. Context-Aware Access Control (II) RBAC has become the most widely used access control model The CAAC model adopts RBAC concepts and extends its user-role and role-permission assignments CAAC incorporates the dynamic attributes (context information) into both user-role and role-permission assignments 53 © Swinburne University of Technology Context-Aware Access Control (III) CAAC Policy Framework <A. S. M. Kayes, Jun Han, and Alan Colman, A Semantic Policy Framework for Context-Aware Access Control Applications, TrustCom 2013, http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6680911&tag=1> 54 © Swinburne University of Technology Context-Aware Access Control (IV) Dynamic Context-Aware Environments Shift from desktop environments to dynamic environments described by Mark Weiser, where users need seamless access to various resources at anytime from anywhere even when they are on the move Pervasive/Ubiquitous environments Privacy and security of accessing resources/services is of greater concern Context information <Mark Weiser, Some computer science issues in ubiquitous computing, Comm. ACM 1993, http://dl.acm.org/citation.cfm?id=159617> 55 © Swinburne University of Technology Context-Aware Access Control (V) Context Information and Context Awareness Dey, Context information is defined as any information that can be used to characterize the situation of an entity and Context awareness is the ability to use context information to provide relevant information and/or services to the user Our focus is “CAAC Model” Context-aware access control (CAAC), decision making based on the context information, reauthorization of access if context changes <Dey et al, A Conceptual Framework for Context-Aware Applications, PUC 2001, http://www.tandfonline.com/doi/abs/10.1207/S15327051HCI16234_02#.U29vNfmSzzg> 56 © Swinburne University of Technology Context-Aware Access Control (VI) Application Scenario Users from different locations Organization User Resources A Patient in an Emergency Health Condition Users from different devices Users at different times 57 Figure: User-to-Resource Access Scenario in Context-Aware Environments © Swinburne University of Technology Context-Aware Access Control (VII) Application Scenario A patient Bob who is in the emergency room due to a heart attack. While not being Bob's usual treating physician, Jane, a medical practitioner at the hospital, is required to treat Bob and needs to access Bob's electronic health records from the emergency room. Resources User Patients’ Medical Records Healthcare Figure: Healthcare Scenario 58 © Swinburne University of Technology Context-Aware Access Control (VIII) Application Scenario After getting emergency treatment, Bob is shifted and has been assigned a registered nurse Mary, who has regular follow-up visits to monitor his health condition. Mary needs to access several types of Bob's records (daily medical records and private health records) from the general ward. Resources User Patients’ Medical Records Healthcare Figure: Healthcare Scenario 59 © Swinburne University of Technology Context-Aware Access Control (IX) Application Scenario Different users with different roles from different environments for different intentions Privacy and security Resources User Patients’ Medical Records Healthcare Figure: Healthcare Scenario 60 © Swinburne University of Technology Context-Aware Access Control (X) Main Challenges/Requirements (Req1) - representation of context entities and context information relevant to access control (context model) (Req2) - inferring high-level context information from the available information (reasoning model) (Req3) - incorporating dynamic contextual information into access control policies (policy model) 61 © Swinburne University of Technology Context-Aware Access Control (XI) 62 Figure: CAAC Model © Swinburne University of Technology Context-Aware Access Control (XII) CAAC Model Concepts (elements) Users(U) – a user is a human-being (who is a service requester) interacting with a computing system, whose access request is being controlled (e.g., Jane, Mary) Roles(R) – a role reflect user's job function within the organization (e.g., healthcare domain) Resources(Res) – a resource is an object protected by access control that represents the data/information container (e.g., patient’s electronic health records) Operations(Op) - an operation is an action that can be executed on the resources (e.g., read, write) Permissions(P) - permissions are the approvals to perform certain operations on resources, by the users who initiate access requests 63 © Swinburne University of Technology Context-Aware Access Control (XIII) CAAC Model Concepts (elements) Context Information(CI) – context Information used in an access control decision is defined as any relevant information about the state of an entity or the state of a relevant relationships between entities (e.g., location of the patient, social or interpersonal relationship between doctor and patient) Policies(Pol) – two sets of policies: the context-aware user-role assignment policies and context-aware role-permission assignment policies 64 © Swinburne University of Technology Context-Aware Access Control (XIV) 65 Figure: CAAC Model © Swinburne University of Technology Context-Aware Access Control (XV) CAAC Model Concepts (relationships) Role Hierarchy(RH) – it supports the concept of role inheritance (like RBAC). The role is considered in a hierarchical manner in that if a permission assigned to a junior role, then it is also assigned to all the senior roles of that role Resource Hierarchy(ResH) – the resource is also considered in a hierarchical manner in that if a user has the right to access a resource with the highest granularity level, then he also has the right to access the lower granularity levels of that resource Operation Assignment(OpA) – each operation could be associated with many resources, and for each resource could be granted to many operations 66 © Swinburne University of Technology Context-Aware Access Control (XVI) CAAC Model Concepts (relationships) Context-Aware User-Role Assignment(CAURA) – a many-to-many mapping between a set of users and roles, when a set of dynamic contextual conditions are satisfied CAUR𝑨 ⊆ 𝑼 × 𝑹 × 𝑪𝑰 Context-Aware Role-Permission Assignment(CARPA) – a many- to-many mapping between a set of roles and permissions, when a set of dynamic contextual conditions are satisfied CARP𝑨 ⊆ 𝑹 × 𝑷 × 𝑪𝑰 67 © Swinburne University of Technology Context-Aware Access Control (XVII) Context Ontology Policy Ontology 68 Figure: CAAC Model © Swinburne University of Technology Context-Aware Access Control (XVIII) Advantages dynamic access permissions (dynamic access control decision making) dynamic user-role and role-permission assignments efficient model in today’s dynamic and context-aware environments Disadvantages implementation efforts 69 © Swinburne University of Technology Review Access Control AM ACL RBAC ABAC XACML CAAC 70 © Swinburne University of Technology Next Semantic Web Semantic Technology Ontology Concept OWL, DL and SWRL Ontology-Based Framework XACML-Based XACML 71 for Access Control Framework for Access Control for RBAC © Swinburne University of Technology Questions? ABAC, Core XACML – attribute-based RBAC – role-based CAAC – 72 ? © Swinburne University of Technology Questions? ABAC, Core XACML – attribute-based RBAC – role-based CAAC – role- and attribute-based akayes@swin.edu.au (dblp: A. S. M. Kayes) 73 © Swinburne University of Technology
