RiMBAC Risk Management Based Access Control Michael Frangos Supervised by: Dr William Scott and Dr...

RiMBACRisk Management Based Access Control

Michael FrangosSupervised by: Dr William Scott and

Dr Paul Montague

2

Overview

• Background & Motivation• Risk• Risk Management• Access Control• Multi Level Security

• Research questions & strategy

• Research Achievements• The RiMBAC Model• Comparison of RiMBAC and MLS

3

Risk

• What is Risk?

• “The expected impact on objectives due to one or more future events”

• Likelihood X Consequence

• Can be associated with negative or positive outcomes.

4

Risk Management

• A key business process.• Standardized in AS/NZS 4360:2004.

5

Access Control

• What is Access Control?• The process of mediating requests to resources and data

maintained by a system and determining whether the request should be granted or denied.

• Access Control Models• Discretionary• Mandatory• Role-based

6

Multi Level Security (MLS)

• What is MLS?• A form of mandatory access control.

• MLS Classifications

MLS Classification

Consequence of Damage

TOP SECRET Exceptionally Grave Damage to NS

SECRET Serious Damage to NS

CONFIDENTIAL Damage to NS

RESTRICTED Limited Damage to NS

UNCLASSIFIED Negligible Damage to NS

7

What’s wrong with MLS?

• Risk involved in each access is determined statically.• Clearances and classifications rarely reviewed.

• Sensitivity of information will vary with time and context.

• Trustworthiness of individuals varies with time and context.

• Risk estimates are binary entities.• Risk is either zero or worst case consequence.

• Total organizational risk for information sharing is unknown.• Risk can’t be capped.

• No provision to deal with emergencies.

8

Research Questions

1. How can an access control model based on risk management be developed for organizations that currently employ MLS?

2. How effective would such an access control model be when compared to traditional MLS?

9

Research Strategy

• Phase 1 – Access Control Model Design

• Phase 2 – Agent-based Modelling

10

The RiMBAC Model• Design Principles

Design Principle Supporting Papers

The risk associated with each access is

considered in access control decisions.

McGraw (2009), MITRE Corporation (2004), Molby et

al. (2008)

The benefits associated with each access are

considered in access control decisions.

Zhang et al. (2006)

Total information sharing risk for an

organization can be limited.


al. (2008)

Information sharing risk is determined

dynamically.


al. (2008), Zhang et al. (2006)

Access control decisions are auditable. All Papers

Access control decisions consider context. Diep et al. (2006), Ahmed & Zhang (2007)

Access control decisions are objective not

subjective

All Papers

The model can extend the MLS model. Cheng & Rohatgi (2007)

The RiMBAC Model

11

Tasks

Access Control System

Goals

Employees

Management

Information

Organization

Organizational Context:

12

The RiMBAC Model

Key Concepts and definitions:

Subject – An individual or computer process acting on behalf of an individual

Object – An information resource.

Compromise – Any event in which a subject who is not authorized by the access control system gains access to an object.

Harm – Negative impact on organizational goals (due compromise of an object).

Benefit – Positive impact on organizational goals (due to completion of a task).

RiM – a unit of harm or benefit.

Organizational Goals established

Information Sharing Risks defined

Information Sharing Benefits defined

Transactional Risk Calculated

Maximum Transactional Benefit Calculated

Access Control Decision Made

Access Control Decision Enforced

RiMBAC

Organization

Goals

Risks Benefits

Level of BenefitLevel of Risk

AC Decision

Establish the Context

Identify Risk

Analyze Risk

Evaluate Risk

Treat Risk

Goals

Mon

itor

and

Rev

iew

Risk Tolerance Levels established

AC Result

Risk Thresholds

AC Policy

RiM

BA

C M

on

itor a

nd

Re

view

RiMBAC Overview

14

The RiMBAC Model

1. Establish the context:

• Establish organizational goals.• i.e. “to make profit”, “to preserve

national security”

• Set Risk Tolerance Levels for information sharing.

• i.e. $5M per annum.

(specified in RiMs)


Identify Risk

Analyze Risk

Evaluate Risk

Treat Risk

Mon

itor

and

Rev

iew

15

The RiMBAC Model

2. Identify Risk:• Identify information sharing risks:

• Transactional risk – the risk involved each time a subject accesses an object.

• Identify information sharing benefits:

• Transactional benefit – the benefit involved each time a subject accesses an object.


Identify Risk

Analyze Risk

Evaluate Risk

Treat Risk

Mon

itor

and

Rev

iew

16

The RiMBAC Model

3. Analyze Risk:

• Calculate Transactional Risk.

• Calculate Transactional Benefit


Identify Risk

Analyze Risk

Evaluate Risk

Treat Risk

Mon

itor

and

Rev

iew

17

The RiMBAC Model

Calculate Transactional Risk:

Object Risk (ROBJ) - Expected harm associated with an object.

Likelihood of harm x Consequence of harm

Consequence of harm:

RiMBAC Object

Potential Harm Function

Information Categories

i.e.

18

The RiMBAC ModelLikelihood of Harm:

Assume that harm will always result from compromise of an object.

i.e. PC = PHARM

ObjectObject

TTI1

TTI2 TTIn HTI1

HTI2

HTIm

19

The RiMBAC Model

ObjectObjectPTC = 1-TTI PHC= 1-HTI

PC = PTC1 U PTC2 … U PTCn U PHC1 U PHC2 … U PHCm

TTI1

TTI2 TTIn HTI1

HTI2

HTIm

20

The RiMBAC Model


Object Risk (ROBJ)

Expected harm associated with an object.

Organizational Risk (RORG) Sum of object risk for all objects in the organization.

21

The RiMBAC Model


Transactional Risk (RTRANS)

Expected harm involved in a subject accessing an object

22

The RiMBAC Model

Cumulative Transactional Risk:

Bob

Object 1Object 1Object 1Object 1






Object 1Object 1Object Object

Time

TRB

23

The RiMBAC Model


Bob

Time

TRB

Sue

Task B

Organization

Task CTask A

24

The RiMBAC Model


Bob

Time

TRB

Sue

Task B

Organization

Task CTask A

TRA

25

The RiMBAC Model

3. Analyze Risk:




Identify Risk

Analyze Risk

Evaluate Risk

Treat Risk

Mon

itor

and

Rev

iew

26

The RiMBAC Model

Calculate Transactional Benefit:

Maximum Transactional Benefit (MBTrans)

The potential benefit involved each time a subject accesses an object.

RiMBAC Object

Potential Harm Function

Information Categories

27

The RiMBAC Model


Task A Task B Task C

Bob

{1,2,3,4} {1,2,5,6}

{1,2,3,4,5,6}

28

The RiMBAC Model



Bob

TIF=0.2TIF=0.5

TBV=50 RiMs TBV=100 RiMs

ObjectCat {1, 44, 32}


{1,2,3,4,5,6}

{1,2,3,4} {1,2,5,6}

29

The RiMBAC Model



Bob

TIF=0.2TIF=0.5

TBV=50 RiMs TBV=100 RiMs



{1,2,3,4,5,6}

{1,2,3,4} {1,2,5,6}

MBTRANS = 50 x 0.2 + 100 x 0.5 = 60 RiMs

30

The RiMBAC ModelBreak Glass Provision

• What happens in an emergency?• No time to create a task etc.

• Override Capability.• Known benefit specified.• Acceptance of risk signed by higher authority.• Risk is accounted for.• Risk tolerance thresholds can still apply

Help!!!

31

The RiMBAC Model

3. Analyze Risk:




Identify Risk

Analyze Risk

Evaluate Risk

Treat Risk

Mon

itor

and

Rev

iew

32

The RiMBAC Model

3. Evaluate and Treat Risk:

Apply Access Control Policy to make access control decision:

Policy Examples

Allow all transactions where MBTRANS > RTRANS and TRATASK not exceeded.

Allow all transactions where MBTRANS > 5xRTRANS and TRASUBJ not exceeded.


Identify Risk

Analyze Risk

Evaluate Risk

Treat Risk

Mon

itor

and

Rev

iew

33

The RiMBAC Model

3. Monitor and Review:

• Monitor every access• Audit logs

• Monitor information leakage• Update TTI and HTI parameters.

• Regularly review:• organizational goals • risk tolerance thresholds• access control policy. • TBVs, TIFs


Identify Risk

Analyze Risk

Evaluate Risk

Treat Risk

Mon

itor a

nd R

evie

w

34

Technological Requirements

• Direct Access:• HTI for subject, TTI for storage and transfer technology.• Tasks, TBVs and information category sets.• TIFs for each subject.

• Indirect Access:• Portable credential exchange devices.

• RiMBAC Objects:• Metadata containing information categories, potential harm function.• Ontology for describing contextual factors.

35

Technological Requirements

• Information Leakage Monitoring• Mechanisms (i.e. object tracking, label management, audit logs)

• Transition from MLS to RiMBAC• 3 phase transition plan:

(Still being finalized)

36

Comparing RiMBAC with MLS

Agent-based modelling

• Model a system from the bottom up.• Agents are a collection of autonomous decision-making entities.

• Shown to be effective at modeling human systems such as organizations. (Prietula et al. (1998))

• Provides a natural description of the system

• Flexible

• Captures emergent phenomena (i.e. Organizational behaviour)

• Repast (Recursive Porous Agent Simulation Toolkit)• Open source, Java-based, good documentation.

37


Information Store

ORGANIZATION

External AgentsREPAST SIMULATION

38


Measurands

For each access control model:

• How many resources are compromised?

• How much harm is caused due to compromise?

• How many beneficial resources do employees get hold of?

39


Employee AgentsAttributes

Attribute Description

ID A unique identifier for the individual.

MLS Clearance Multi Level Security Clearance {RESTRICTED, CONFIDENTIAL, SECRET, TOP SECRET}

HTI RiMBAC Human Trust Index [0,1]

Trustworthiness A measure of the individual’s actual trustworthiness. (%)

Information Appetite The mean time between resource requests by the individual. (hours)

Required Information Categories

A list of information categories that the individual needs to complete their assigned tasks.

Current Resource List The current resources held by the individual

Current Tasks A set of organizational tasks that the employee is assigned to

40


Employee Agents

Desire• When being trustworthy:

• Obtain any information resources required to complete assigned tasks.

• Share information resources with any employees approved by security policy.

• When being untrustworthy:• Obtain any resources not required to complete assigned tasks.• Share information resources with anyone.

41


Employee AgentsDecisions• Decide what type of resource to ask for next based on

trustworthiness and required information categories.• Decide when to ask for information based on information

appetite.• Decide who to ask for information:

• When being trustworthy, ask an employee who is believed to have such information (based on the tasks they are working on).

• When being untrustworthy, ask an employee who is known to thwart policy (based on prior dealings)

• Decide whether to hand over a resource to another individual based on access control decision and trustworthiness.

42


External Agents

Attributes

Attribute Description

ID A unique identifier for the individual.

MLS Clearance Multi Level Security Clearance = UNCLASSIFIED

HTI RiMBAC Human Trust Index = 0

Trustworthiness A measure of the individual’s actual trustworthiness. (%)

Information Appetite The mean time between resource requests by the individual. (hours)

Current Resource List The current resources held by the individual

43


External Agents

Desire• Obtain any possible information resources from within the

organization.

44


External Agents

Decisions• Decide what type (subject and classification of resource to ask

for:• Choose a resource type at random.

• Decide when to ask for information • based on information appetite.

• Decide who to ask for information:• Initially target random employees. • Later target mostly those employees known to thwart policy (based on

previous experience).

45

Comparing RiMBAC with MLSSimulation Parameters

• 20 Employees• Even distribution of MLS clearances• RiMBAC HTI derived from MLS clearance.

• 2 External Agents

MLS Clearance RiMBAC HTI

UNCLASSIFIED 0.0000

RESTRICTED 0.9900

CONFIDENTIAL 0.9950

SECRET 0.9990

TOP SECRET 0.9999

46

Comparing RiMBAC with MLSSimulation Parameters

• 10,000 Information Resources

• RiMBAC Harm Value of Resources:

MLS Classification Number of Resources

RESTRICTED 4000

CONFIDENTIAL 3000

SECRET 2000

TOP SECRET 1000

MLS Classification Value in RiMS

RESTRICTED 1

CONFIDENTIAL 5

SECRET 20

TOP SECRET 100

47


Sample Results: Beneficial Resources Obtained

0

100

200

300

400

500

600

700

800

900

1000

0 2 4 6 8 10 12

Num

ber o

f Ben

efici

al R

esou

rces

O

btai

ned

Time (Years)

MLS

RiMBAC

Initialization Period

Real Simulation

48


Sample Results: Information Leakage

0

1

2

3

4

5

6

7

8

9

10

0 1 2 3 4 5 6

Num

ber o

f Res

ourc

es L

eake

d

Time (Years)

MLS

RiMBAC

49


Sample Results: Estimated Harm

0

50

100

150

200

250

300

350

400

450

500

0 1 2 3 4 5 6

Esti

mat

ed H

arm

(RiM

s)

Time (Years)

MLS

RiMBAC

50


Sample Results: Information LeakageOrganizational Risk Allowance applied (75 RiMs per annum)

0

1

2

3

4

5

6

7

8

9

10

0 1 2 3 4 5 6

Num

ber o

f Res

ourc

es L

eake

d

Time (Years)

MLS

RiMBAC with TRA

51


Sample Results: Estimated HarmOrganizational Risk Allowance applied (75 RiMs per annum)

0

50

100

150

200

250

300

350

400

450

500

0 1 2 3 4 5 6

Esti

mat

ed H

arm

(RiM

s)

Time (Years)

MLS

RiMBAC with TRA

52

Summary of Achievements

1. Existing Access Control Models incorporating risk reviewed.

2. Risk Management Based Access Control (RiMBAC) Model Developed.

3. Agent Based Model developed to assess RiMBAC with MLS.

53

Future Work

• Refine RiMBAC model• Trust models (TTI, HTI) developed.• Incentive for low risk, high benefit transactions.

• More complex Agent Based Model.• Dynamic harm value for objects included.• More complex agent characteristics and behaviour

• Trust, friendships, annoyance, manipulation techniques etc.

• Simulate larger organization.• Use of “Knowledge Pieces” to quantify benefit.

54

Questions?

Thanks for your attention!

RiMBAC Risk Management Based Access Control Michael Frangos Supervised by: Dr William Scott and Dr...

Documents

Transcript of RiMBAC Risk Management Based Access Control Michael Frangos Supervised by: Dr William Scott and Dr...