Database Security with the SecureSphere Database Security Gateway
FRIB Database Security
description
Transcript of FRIB Database Security
![Page 1: FRIB Database Security](https://reader035.fdocuments.in/reader035/viewer/2022062501/568163e4550346895dd542da/html5/thumbnails/1.jpg)
This material is based upon work supported by the U.S. Department of Energy Office of Science under Cooperative Agreement DE-SC0000661.Michigan State University designs and establishes FRIB as a DOE Office of Science National User Facility in support of the mission of the Office of Nuclear Physics.
FRIB Database Security
![Page 2: FRIB Database Security](https://reader035.fdocuments.in/reader035/viewer/2022062501/568163e4550346895dd542da/html5/thumbnails/2.jpg)
V. Vuppala,Controls DB Meeting
Security Requirements Access Control Specification Access Control Realization Security Architecture Design Concerns Summary
Overview
, Slide 2
![Page 3: FRIB Database Security](https://reader035.fdocuments.in/reader035/viewer/2022062501/568163e4550346895dd542da/html5/thumbnails/3.jpg)
General• Authentication and Authorization• Role-based access control• Delegation
Structural• Controlled access to components, their attributes and relationships• Area Managers are responsible for structural data
Behavioral or Operational• Controlled access to Operation of the Accelerator• Not managed by area managers• Operations Group responsible for Controls System (CS)• Experimental Group responsible for CS in Experimental Areas• Dynamic Access Control (Check-in/out Model)
Services• Controlled access to application functionality
Security Requirements
V. Vuppala,Controls DB Meeting, Slide 3
![Page 4: FRIB Database Security](https://reader035.fdocuments.in/reader035/viewer/2022062501/568163e4550346895dd542da/html5/thumbnails/4.jpg)
Information Architecture
, Slide 4V. Vuppala,Controls DB Meeting
Application layer• Operator interfaces• High-level applications• Libraries
Service layer• Access to data• Programming Interface
Data layer• Managed data• Instrument data• No direct access
![Page 5: FRIB Database Security](https://reader035.fdocuments.in/reader035/viewer/2022062501/568163e4550346895dd542da/html5/thumbnails/5.jpg)
Example
V. Vuppala,Controls DB Meeting, Slide 5
S1
S2
S3Services
Application
1. What is the PV for XXX?
2. PV is PS01
3. Add Log E
ntry ‘YY
Y’ to L1
4. Done
5. ca
put P
S01 10
6. Don
e
![Page 6: FRIB Database Security](https://reader035.fdocuments.in/reader035/viewer/2022062501/568163e4550346895dd542da/html5/thumbnails/6.jpg)
Persons, Groups, Roles Core
• Grouping of Components Based on Areas• Areas Associated with Roles• Grouping of Components Based on Operations• Operational Groups Associated with Roles• Develop a Tool to Specify Authorization and Delegation
Services• Each Application Has Its Own Authorization Data
Access Specification
V. Vuppala,Controls DB Meeting, Slide 6
![Page 7: FRIB Database Security](https://reader035.fdocuments.in/reader035/viewer/2022062501/568163e4550346895dd542da/html5/thumbnails/7.jpg)
Roles
V. Vuppala,Controls DB Meeting, Slide 7
class Data Model
Role
«column»*PK ID :INTEGER Name :CHAR(64)
«PK»+ PK_Role(INTEGER)
Person
«column»*PK ID :INTEGER Name :CHAR(64)* LoginID :CHAR(32)
«PK»+ PK_Person(INTEGER)
«unique»+ UQ_Person_LoginID(CHAR)
Group
«column» ID :INTEGER Name :CHAR(64) Description :VARCHAR(255)
0..* 0..*
0..*
0..1+parent 0..*
{acyclic}
+child 0..*
0..*
0..1
![Page 8: FRIB Database Security](https://reader035.fdocuments.in/reader035/viewer/2022062501/568163e4550346895dd542da/html5/thumbnails/8.jpg)
Authorization: Core Structural
V. Vuppala,Controls DB Meeting, Slide 8
class Data Model
Configuration-Component
«column»*PK ID :INTEGER* Qualifier :CHAR(1) Instance :CHAR(4) Operational :BOOL
«PK»+ PK_Configuration-Component(INTEGER)
AreaElement
«column»*PK ID Name :CHAR(64)
«PK»+ PK_AreaElement()
Role
«column»*PK ID :INTEGER Name :CHAR(64)
«PK»+ PK_Role(INTEGER)
AreaPriv s
- Description :char- privilege :int
0..1
0..*
+Parent 0..1
{acyclic}
+Child 0..*
0..*0..*
![Page 9: FRIB Database Security](https://reader035.fdocuments.in/reader035/viewer/2022062501/568163e4550346895dd542da/html5/thumbnails/9.jpg)
Authorization: Core Operational
V. Vuppala,Controls DB Meeting, Slide 9
class Data Model
Configuration-Component
«column»*PK ID :INTEGER* Qualifier :CHAR(1) Instance :CHAR(4) Operational :BOOL
«PK»+ PK_Configuration-Component(INTEGER)
Role
«column»*PK ID :INTEGER Name :CHAR(64)
«PK»+ PK_Role(INTEGER)
OpsElement
«column» ID :INTEGER Name :CHAR(64) Description :VARCHAR(255)
OpsPriv s
- Description :char- Privileges :int
0..*
0..*
0..10..*
![Page 10: FRIB Database Security](https://reader035.fdocuments.in/reader035/viewer/2022062501/568163e4550346895dd542da/html5/thumbnails/10.jpg)
Access Control: Realization
V. Vuppala,Controls DB Meeting, Slide 10
S1
S2
S3
1. What is the PV for XXX?
[Token]
2. PV is PS01
3. Add Log E
ntry ‘YY
Y’ to L1.
[Token]
4. Done
5. ca
put P
S01 10
.
[Toke
n]
6. Don
e
Auth
Credentials
Token
![Page 11: FRIB Database Security](https://reader035.fdocuments.in/reader035/viewer/2022062501/568163e4550346895dd542da/html5/thumbnails/11.jpg)
Channel Access Does Not Support Tokens• Develop a Gateway?
Auth Service • Use Kerberos or Develop New Service• Single Point of Failure: Redundant Servers
Each Service Needs to Provide Security Configuration Tool• No Good Generic Way to Provide Service-Level Authorization
What About Dynamic Access Control?• Develop an Application for Reservation and Release (Check-in/out)
Concerns
V. Vuppala,Controls DB Meeting, Slide 11
![Page 12: FRIB Database Security](https://reader035.fdocuments.in/reader035/viewer/2022062501/568163e4550346895dd542da/html5/thumbnails/12.jpg)
Authentication/Authorization Service Ticket Based System Persons, Groups, Roles Component Groupings for Core Security Specifications Service-Level Access Control left to Services Access Controls on IOCs Tools
• To Specify Core Authorizations• To Specify Service-Level Authorizations• To Reserve and Release Components
Architecture
V. Vuppala,Controls DB Meeting, Slide 12
![Page 13: FRIB Database Security](https://reader035.fdocuments.in/reader035/viewer/2022062501/568163e4550346895dd542da/html5/thumbnails/13.jpg)
Security Must Be Integrated Into DesignNot Very TrivialNo PrecedenceWork In Progress
Summary
, Slide 13V. Vuppala,Controls DB Meeting