csiir workshop march 14-15, 20051 privilege and policy management for cyber infrastructures dennis...
TRANSCRIPT
March 14-15, 2005 1CSIIR Workshop
Privilege and Policy Management for Cyber Infrastructures
Dennis Kafura
Markus Lorch
Support provided by: Commonwealth Security Information CenterFermi National Accelerator LaboratoryIBM
March 14-15, 2004 2CSIIR Workshop
Organization
Grand Challenges – Problems– Requirements
PRIMA – a privilege-based approach– Models– Architecture/Mechanisms
Research challenges– Policy– Obligations– Enforcement– Usability
Relationship to I3P and Workshop Themes
March 14-15, 2004 3CSIIR Workshop
Grand Challenge Problems
Societal infrastructures
“Develop tools and principles that allow construction of
large-scale systems for important societal applications that
are highly trustworthy despite being attractive targets.”
Dynamic, pervasive computing environments
“For the dynamic, pervasive computing environments of
the future, give computing end-users security they can
understand and privacy they can control.
From: CRA Workshop on “Grand Research Challenges in Information Security and Assurance,” November 2003.
March 14-15, 2004 4CSIIR Workshop
Cyber Infrastructure Requirements
Grand Challenge Attribute Requirement
Societal infrastructures
large scaledistributed authority
distributed trust establishment
trustworthypredictable
responsive to environment
Dynamic, pervasive computing environments
understandablefamiliar paradigm
unified principle
controllable
restricted rights assignment
differential confidence
March 14-15, 2004 5CSIIR Workshop
PRIMA Models
March 14-15, 2004 6CSIIR Workshop
PRIMA Properties
Grand Challenge
Attribute Requirement PRIMA Model Property
Societal infrastructure
large scale
distributed authorityPM: privilege creation and
delegation
distributed trustestablishment
TM: user-centric trustPM: direct privilege management
trustworthy
predictable AM/PM: dynamic policy
responsive to environment
AM: adaptive policy
Dynamic, pervasivecomputingenvironments
understandablefamiliar paradigm PM: privilege concept
unified principle PM: privilege concept
controllable
restricted rights assignment
PM: least privilege access
differential confidenceTM: incremental trustPM: selective control of privileges
March 14-15, 2004 7CSIIR Workshop
Privilege Structure
Privilege Properties
Fully associated Directly applicable Time limited Externalized Secure Non-repudiation
Implementation
Container: X.509 Attribute Certificate Privilege: XACML rule construct
March 14-15, 2004 8CSIIR Workshop
Enforcement Concepts
Policy Enforcement Point (PEP) checks privileges for:– Applicability (to resource and requestor)– Validity (of time frame and signature)– Authority (with respect to privilege management policy)
All permissible privilege constitute a dynamic policy for a request Policy Decision Point (PDP):
– Makes coarse decision– Adds obligations for PEP
Subjects
Policy Decision Point
Enforcement Point1. service request (with privileges)
7. service response
2. authorization request
(with privileges)
4. authorizationresponse(with obligations)
5. provision execution environment, and start + monitor service
6. service response
ExecutionEnvironment
RequestedService
3. evaluate request against dynamically created policy based on subject provided privileges and applicable privilege management and access control policies
March 14-15, 2004 9CSIIR Workshop
Dynamic Policy
March 14-15, 2004 10CSIIR Workshop
Obligations
Additional constraints to an authorization decision
If PEP cannot fulfill an obligation then it disallows access
Obligation address the mismatch in level of detail between request and policies
Obligations help in maintaining system state
March 14-15, 2004 11CSIIR Workshop
Research Challenges: Policy
What can be adapted from software engineering research for policy:– Testing– Debugging– Formal Analysis– Requirements engineering
Policy extensions– Threat/environment aware
March 14-15, 2004 12CSIIR Workshop
Research Challenges: Obligations
Granularity mismatch– Too many rights to be externalized– Partially addressed by dynamic policy
With respect to the request– Need to add restrictions finer-grained than
request
March 14-15, 2004 13CSIIR Workshop
Research Challenges: Enforcement
Evaluation of mechanisms– Dynamic user accounts– Virtual machine/sandboxing– Service containers
Model– Distributing privileges to dynamically
provision an execution environment, vs.– Pre-provisioning an execution environment
and distributing a privilege for it
March 14-15, 2004 14CSIIR Workshop
Research Challenges: Usability
What are the right conceptual models?– Privileges– Roles– Others? Several? Combinations?
How can users manage their rights?– P3P– Shibboleth release policies– Least-privilege control
March 14-15, 2004 15CSIIR Workshop
Addressing I3P and Workshop Themes
Enterprise Security Management
Policy definition and management
Trust among Distributed Autonomous Parties
PRIMA trust model
Least privilege access
Fully decentralized mechanisms
Discovery/Analysis of Security Properties and
Vulnerabilities
Policy testing
Policy analysis using formal methods
Secure System and Network Response and Recovery
Threat-aware policies
Traceback, Identification, and Forensics
Privilege validation (signing, non-repudiation)
Obligations
Insider Threats Separation of duties through privilege restrictions
Life-cycle Threats Policy requirements engineering
Distributed Ad Hoc Trust/Multi-Level Trust
Privilege management
Secure execution environments
I3P
Age
nd
aW
ork
shop
T
hem
es