Access Control Models: Controlling Resource Authorization
12 likes10,190 views
The document provides an overview of access control models, which dictate how users can access resources within a system. It discusses four primary models: Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role-Based Access Control (RBAC), and Attribute-Based Access Control (ABAC), outlining their definitions, advantages, and disadvantages. Additionally, it emphasizes the importance of selecting the appropriate model based on resource sensitivity and operational requirements.
Access Control Models: Controlling Resource Authorization
- 2. Access Control Models: Controlling Resource Authorization Mark Niebergall @mbniebergall
- 3. About Mark Niebergall âȘ PHP since 2005 âȘ MS degree in MIS âȘ Senior Software Engineer âȘ UPHPU President âȘ SSCP, CSSLP Certified and SME âȘ Drones, fishing, skiing, father, husband
- 4. Overview
- 5. Overview Access request flow Define applicable terminology Cover primary Access Control Models Discuss pros and cons of each model
- 11. Authentication You are who you say you are Verify identity
- 12. Subject
- 13. Subject Also known as requestor Human or non-person entity (NPE)
- 14. Subject Making request to access resource
- 17. Resource
- 18. Resource Also known as object Protected from unauthorized use
- 19. Resource Something the system has or does âȘ Data âȘ Functionality âȘ Hardware
- 22. Authorization
- 23. Authorization Allow an authenticated subject access to a resource
- 24. Authorization Allow or deny Subject action on object (CRUD)
- 26. Request Resource Access Authorize Request Authenticate Subject Access Control Model
- 29. Access Control Model Dictates who gets to do what
- 30. Access Control Model Framework for making authorization decisions
- 31. Access Control Model Deciding subject access to resources
- 32. Access Control Model #4 on 2017 OWASP Top 10: Broken Access Control
- 33. Access Control Model Primary Access Control Models âȘ DAC: Discretionary âȘ MAC: Mandatory âȘ RBAC: Role Based âȘ ABAC: Attribute Based
- 35. DAC House keys
- 36. Email DAC
- 40. DAC Object owner grants permission based on subject identity Access Control List (ACL) Deny by default
- 41. DAC Subject Resource Authorization Alice Report Allow Alice Finance Deny Alice Customer Allow Bob Report Allow Bob Finance Deny Bob Customer Deny
- 42. DAC SELECT is_allow FROM acl WHERE subject = âAliceâ AND resource = âCustomerâ LIMIT 1;
- 43. DAC $acl = new Acl; $alice = new User(âAliceâ); $bob = new User(âBobâ); $customer = new Resource(âCustomerâ); $acl->allow($alice, $customer); $acl->deny($bob, $customer); $acl->isAllowed($alice, $customer); $acl->isAllowed($bob, $customer);
- 44. DAC Simple implementation High operational overhead Access at discretion of resource owner
- 45. DAC Questions?
- 49. MAC Blog
- 50. MAC Leveled-up character in game
- 53. MAC Object sensitivity Subject security level or clearance Write up, read down
- 54. MAC Owner sets object label System sets subject security level
- 55. MAC Subject Security Level Object Label Top Secret Secret Confidential Top Secret Allow Allow Allow Secret Deny Allow Allow Confidential Deny Deny Allow
- 56. Subject Security Level Alice Top Secret Bob Secret Clara Confidential Object Label Report Top Secret Finance Secret Customer Confidential MAC Level Name 1 Top Secret 2 Secret
- 57. MAC Subject: Security Level Object: Label Report: Top Secret Finance: Secret Customer: Confidential Alice: Top Secret Allow Allow Allow Bob: Secret Deny Allow Allow Clara: Confidential Deny Deny Allow
- 58. MAC SELECT s.security_level FROM subject s JOIN security_level sl_s ON sl_s.name = s.name JOIN resource r ON r.resource = âReportâ JOIN security_level sl_r ON sl_r.name = r.name AND sl_r.level <= sl_s.level WHERE s.subject = âAliceâ LIMIT 1;
- 59. MAC $accessControl = new Mac; $topSecret = new Level(âTop Secretâ); $secret = new Level(âSecretâ); $alice = new User(âAliceâ); $bob = new User(âBobâ); $finances = new Resource(âFinancesâ); $accessControl->addLevel($topSecret, 1) ->addLevel($secret, 2); $accessControl->addUser($alice, $topSecret) ->addUser($bob, $secret); $accessControl->addResource($finances, $secret); $accessControl->isAllowed($alice, $finances);
- 60. MAC Multilevel security System and owner determine access No flexibility Moderate overhead
- 61. MAC Questions?
- 64. RBAC User roles on a computer
- 66. RBAC LARPing
- 68. RBAC Role A Role B Role C Role D Subject Role Resource
- 69. RBAC Subject assigned to role Role granted access to resource
- 70. RBAC Subject Role Alice Accounting Alice Orders Bob Payroll Clara Orders Clara Reporting Role Resource Accounting Finance Accounting Reports Orders Inventory Orders Shipments Payroll Finance
- 71. RBAC SELECT sr.subject, rr.resource FROM subject_role sr JOIN role_resource rr ON rr.subject = sr.subject AND rr.role = sr.role WHERE sr.subject = âAliceâ AND rr.resource = âReportâ LIMIT 1;
- 72. RBAC $accessControl = new Rbac; $accounting = new Role(âAccountingâ); $ordering = new Role(âOrderingâ); $alice = new User(âAliceâ); $bob = new User(âBobâ); $inventory = new Resource(âInventoryâ); $accessControl->addRole($accounting) ->addRole($ordering); $accessControl->addUser($alice) ->addUser($bob); $accessControl->addResource($inventory); $accessControl->addUserToRole($alice, $accounting); $accessControl->addResourceToRole($inventory, $ordering); $accessControl->isAllowed($alice, $ordering); $accessControl->isAllowed($bob, $inventory);
- 74. RBAC Very common Lower overhead More scalable
- 75. RBAC Questions?
- 77. ABAC Electronic key card system
- 78. ABAC Credit card with monitoring
- 81. ABAC Conditional authorization based on attributes
- 83. ABAC Subject Action Resource Environment Policy
- 84. ABAC Subject Action Environment Resource Access Manager Create Region A Customer Allow Manager Update Region B Customer Deny Data Entry Create Region A Any Hour Customer Allow Data Entry Create Region B Day Shift Customer Allow Data Entry Create Region B After hours Customer Deny
- 85. ABAC Subject attributes Action attributes Resource attributes Environment attributes
- 86. ABAC Subject attributes âȘ Who âȘ Where âȘ Roles âȘ Affiliation âȘ Clearance
- 87. ABAC Action attributes âȘ Create, POST âȘ Read, GET âȘ Update, PUT âȘ Delete, DELETE âȘ Execute
- 88. ABAC Resource attributes âȘ Type âȘ Owner âȘ Classification
- 89. ABAC Environment attributes âȘ Time âȘ Network âȘ Operating system âȘ Encryption method
- 90. ABAC Policy Enforcement Point (PEP) Policy Decision Point (PDP) PEP sends authorization request to PDP
- 91. ABAC Gartner predicts 70% of all businesses will use ABAC by 2020 Keeps eyes on ABAC
- 92. ABAC Attempt to standardize ABAC policies into XML format is mostly dead, eXtensible Access Control Markup Language (XACML)
- 93. ABAC Refined access Meets demand for more advanced access control API access control
- 94. ABAC Typically start with RBAC implementation and then build onto it with policies Custom implementation so no example
- 95. ABAC Questions?
- 98. Considerations Model Scalability Granularity Sensitivity DAC MAC RBAC ABAC
- 99. Implementation Considerations Use cases for application Sensitivity of resources Scalability of model Granularity requirements
- 100. Implementation Considerations Existing frameworks and projects APIs, external interfaces
- 102. Review
- 103. Review
- 104. Review DAC: simple, high overhead, ACL MAC: user and resource classification RBAC: most common, role driven, smaller overhead ABAC: most advanced, policy driven
- 105. Review Operational overhead vs authorization needs Consider current implementation Consider future implementation
- 106. Credits
- 107. CREDITS âȘ NIST publication on ABAC http://nvlpubs.nist.gov/nistpubs/specialpublications/NI ST.sp.800-162.pdf âȘ ABAC for ZF2 https://github.com/Eye4web/Eye4webZf2Abac/blob/master/d ocs/README.md âȘ Presentation template by SlidesCarnival âȘ Axiomatics webinar, May 2014 http://www.slideshare.net/Axiomatics/attribute-based-ac cess-control-for-data-protection-webinar-may-8 âȘ OWASP https://www.owasp.org/index.php/Category:OWASP_Top_Ten_ Project