differentiated access control differentiated access
play

Differentiated access control Differentiated access control to - PowerPoint PPT Presentation

Feb 10, 2024 •436 likes •596 views

Differentiated access control Differentiated access control to graph data to graph data Application to TinkerPop-compatible Application to TinkerPop-compatible graph databases graph databases Marc de Lignie Marc de Lignie Image courtesy:

  1. Differentiated access control Differentiated access control to graph data to graph data Application to TinkerPop-compatible Application to TinkerPop-compatible graph databases graph databases Marc de Lignie Marc de Lignie Image courtesy: http://cosmicweb.barabasilab.com/

  2. About me 1. self-taught data scientist, starting from a PhD in physics 2. interested in graph analytics and data fusion 3. employed at a Dutch government agency 4. contributor to 5. active in community 6. http://yaaics.blogspot.com FOSDEM 2019 2

  3. Differentiated access control to graph data 1. Exploration 2. Directions 3. Application to TinkerPop/JanusGraph << notebook demo>> 4. Wrap-up FOSDEM 2019 3

  4. Exploration: N data sources into 1 graph Business: person1 order1 buying history likes location1 Finance: payments product1 product2 Marketing person2 order2 Research: facebook data (This) business department may not be allowed to use exact location and facebook data for recommendations FOSDEM 2019 4

  5. Exploration: unauthorized edges person2 Store1 person3 person1 Store2 person4 Some users may not be allowed to traverse edges from Store2 FOSDEM 2019 5

  6. Differentiated access control to graph data 1. Exploration 2. Directions - separate graph stored per user group - datastore with cell-level security - filtering while traversing the graph 3. Application to TinkerPop/JanusGraph << notebook demo>> 4. Wrap-up FOSDEM 2019 6

  7. Directions: separate graph stored per user group Criterion one graph for all graph per user group #management processes + limited ○ scales with #groups available (cache) memory + exclusive ○ divided between groups CPU efficiency ○ authorization processing ○ support additional I/O network I/O efficiency + data shared ○ no sharing disk I/O efficiency + data shared ○ no sharing resilience wrt corruption ○ everyone or no one + just one graph scalability #user groups + not needed ○ limited FOSDEM 2019 7

  8. Directions: datastore with cell-level security need cell-level security to have the data store honor user authorizations ● cell-level user authorizations not implemented ● in current JanusGraph and Neo4j data formats https://docs.janusgraph.org/0.3.1/data-model.html http://key-value-stories.blogspot.com/2015/02/neo4j-architecture.html FOSDEM 2019 8

  9. Directions: filtering while traversing the graph [1/2] name = e01 authz = ["biz;3"] name = p0 authz = ["biz;3","fb;2"] user 1 name = v1 name = e11 authz = ["biz;1","biz;2","biz;3","fb;1"] authz = ["biz;3"] authz = ["fin;3"] name = p1 name = e12 authz = ["fin;3"] authz = ["fin;3"] name = v2 authz = ["fin;2"] name = e22 user 2 name = p2 authz = ["fin;4"] authz = ["biz;1","fin;1","fin;2","fin;3" ] authz = ["fin2"] Authorizations Authorization options assigned to users for element access FOSDEM 2019 9

  10. Directions: filtering while traversing the graph [2/2] graph application business logic & UI graph application model API graph application query logic unused private AuthorizedTraversal API filtering & restriction graph database API external graph database Correctly honoring user authorizations as a separate concern FOSDEM 2019 10

  11. Differentiated access control to graph data 1. Exploration 2. Directions 3. Application to TinkerPop/JanusGraph << notebook demo>> 4. Wrap-up FOSDEM 2019 11

  12. Application to TinkerPop: java-gremlin DSL Graph C GraphTraversalSource GraphTraversal I I C TinkerGraph C DefaultGraphTraversal DSL C __ anonymous graph traversal C StandardJanusGraph AuthorizedTraversalSource extends GraphTraversalSource: ● a java-gremlin DSL on top of the TinkerPop APIs ● restricts the TinkerPop APIs to authorized data access (this needs a few instances of stack inspection, which is fragile) FOSDEM 2019 12

  13. Application to TinkerPop: notebook demo userAuthz = ["biz;1", "biz;2", "biz;3"] graph.traversal(). V().has("authz", within(userAuthz)).has("name", "Mathilde"). outE("likes").has("authz", within(userAuthz)). inV().has("authz", within(userAuthz)). outE("lives").has("authz", within(userAuthz)). inV().has("authz", within(userAuthz)).has("city", "Brussels") graph.traversal(AuthorizedTraversalSource.class). withAuthorization(userAuthz). V().has("name", "Jane"). out("likes"). out("lives").has("city", "Brussels") https://github.com/vtslab/janusgraph/tree/fosdem2019/fosdem2019 FOSDEM 2019 13

  14. Wrap-up 1. Right visibility of sensitive graph data to different user groups is not easy to achieve 2. Separate graphs per user group result in penalties for performance and maintenance 3. Cell-level security is not part of data format of current graph databases 4. Filtering while traversing the graph is feasible – if fragile – provided that it is done within the context of a secure endpoint FOSDEM 2019 14

  15. Differentiated access control Differentiated access control to graph data to graph data THANK YOU THANK YOU Image courtesy: http://cosmicweb.barabasilab.com/

Recommend

Isolation and poverty: the relationship between spatially differentiated access to goods and

Isolation and poverty: the relationship between spatially differentiated access to goods and

Isolation and poverty: the relationship between spatially differentiated access to goods and services and poverty Kate Bird, Andy McKay &amp; Isaac Shinyekwa Understanding and Addressing Spatial Poverty Traps. Spier Estate, Stellenbosch, 29

460 views • 17 slides
Noise Differentiated Track Access Charges for Rail Infrastructure an Approach towards an

Noise Differentiated Track Access Charges for Rail Infrastructure an Approach towards an

Noise Differentiated Track Access Charges for Rail Infrastructure an Approach towards an adequate Pricing for Externalities in the Rail- Sector? Presentation at Conference on Applied Infrastructure Research Berlin University of Technology

268 views • 23 slides
Differentiated Essential Differentiated Essential Competencies (DECs) 1 Introduction

Differentiated Essential Differentiated Essential Competencies (DECs) 1 Introduction

Differentiated Essential Differentiated Essential Competencies (DECs) 1 Introduction Purpose of Webinar History Rationale Implementation Questions &amp; Answers Q ti &amp; A 2 Welcome! Director of Nursing

316 views • 31 slides
Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

577 views • 21 slides
Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of Access Control Discretionary acces control Mandatory access control Real systems: Unix Access Control Model Access control Access

817 views • 47 slides
Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control? How Is Access Determined? Who Determines Access? Forms of Access Control SELinux Booleans iptables File Access Control Lists Apache Access Control

711 views • 36 slides
EQUITABLE ACCESS INITIATIVE Draft Project overview and timeline Equitable Access Initiative (EAI)

EQUITABLE ACCESS INITIATIVE Draft Project overview and timeline Equitable Access Initiative (EAI)

EQUITABLE ACCESS INITIATIVE Draft Project overview and timeline Equitable Access Initiative (EAI) Joint Initiative by nine convening organizations Objective Develop a more differentiated approach than traditional country classification by

279 views • 10 slides
1 General Access Control General Access Control Control of access to memory relatively easy:

1 General Access Control General Access Control Control of access to memory relatively easy:

Role of Access Control Before closing back doors we need to close front doors Access control: determines access to files &amp; processes in OS Fall 2008 We will return to these themes throughout the course Fall 2008 CS

512 views • 6 slides
SYSTEM DIAGRAMS Door Entry &amp; Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry &amp; Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry &amp; Access Control ACCESS CONTROL ACCESS CONTROL Allowing residents / staff access to site areas Main entrance Vehicle entrances Pedestrian entrances Gate / Barrier entrance Bin / Bike / Refuge

336 views • 14 slides
Differentiated Durable Goods Monopoly and Competition Nava and Schiraldi London School of

Differentiated Durable Goods Monopoly and Competition Nava and Schiraldi London School of

Differentiated Durable Goods Monopoly and Competition Nava and Schiraldi London School of Economics March 2018 Nava (LSE) Differentiated Durable Goods Mar 18 1 / 74 Focus: Differentiated Durable Goods We study the incentives to

1.28k views • 74 slides
Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs Access Control Administration Accountability Chapter 2 Access Control Models Identification and Authentication Methods Lecturer:

708 views • 9 slides
What is differentiated care &amp; global guidance for scale up Lynne Wilkinson International AIDS

What is differentiated care &amp; global guidance for scale up Lynne Wilkinson International AIDS

What is differentiated care &amp; global guidance for scale up Lynne Wilkinson International AIDS Society 16 May 2017 www.iasociety.org Differentiated care is a client-centred approach that simplifies and adapts HIV services across the cascade

387 views • 21 slides
Creating Differentiated Storage Offerings Using Cinder Volume Types Bob Callaway, PhD Cloud

Creating Differentiated Storage Offerings Using Cinder Volume Types Bob Callaway, PhD Cloud

Creating Differentiated Storage Offerings Using Cinder Volume Types Bob Callaway, PhD Cloud Solutions Group, NetApp @rdcallaw 1 Agenda Why Offer Differentiated Storage Service Levels? Quick Overview of OpenStack Block Storage

321 views • 21 slides
D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient

D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient

D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient access control and authentication checks Insecure access control methods Private, internal functions and data are accessible through a

547 views • 11 slides
Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control Introduction to Computer Security Access control, contd Announcements intermission Stephen McCamant Capability-based access control University

380 views • 7 slides
Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of achieving confiden5ality and integrity) Who can access What Objects : Subjects : Files/ Programs/ Sockets/ User/ process/ applica5on Hardware/

985 views • 46 slides
Differentiated Care ICAP Grand Rounds, 23 May 2017 Charles B. Holmes, MD, MPH Johns Hopkins

Differentiated Care ICAP Grand Rounds, 23 May 2017 Charles B. Holmes, MD, MPH Johns Hopkins

Research Priorities for Differentiated Care ICAP Grand Rounds, 23 May 2017 Charles B. Holmes, MD, MPH Johns Hopkins University Outline Why we need new approaches to HIV service delivery? Differentiated care- what is it? what is it not?

643 views • 40 slides
Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of achieving confidentiality and integrity) Who can access What Objects : Subjects : Files/ Programs/ Sockets/ User/ process/ application

1.31k views • 50 slides
Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a

Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a

Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP NETWORKED ACCESS CONTROL Smart.Net-IP is a simple, modular approach to networked access control with scalability in mind. Easy management from a central location PC from anywhere with an

196 views • 9 slides
Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer

Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer

Outline Basics of access control Unix-style access control CSci 5271 Introduction to Computer Security Announcements intermission Day 10: OS security: access control Multilevel and mandatory access control Stephen McCamant University of

324 views • 10 slides
Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following

Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following

Access Control Mechanisms Week 6 1 CEN-5079: 7.March.2019 Why Access Control Following authentication, we need to decide what the subject can access 1 Read F 1 OK 2 Bob Write to F Alice 2 F NO ! 3 Execute G G 3 OK

596 views • 56 slides
1 Types of Power-Saving MACs The Sensor MAC (S-MAC) Three distinct classes of power-saving

1 Types of Power-Saving MACs The Sensor MAC (S-MAC) Three distinct classes of power-saving

What Is Media Access Control? Media Access Control (MAC) determines who gets access to the shared medium, and when Media Access Control In wired settings, usually just tries to avoid Greg Hackmann contention In wireless settings, can

399 views • 7 slides
Neoplasia II: Tumor Characteristics Tumor Characteristics Lecture Objectives Define tumor

Neoplasia II: Tumor Characteristics Tumor Characteristics Lecture Objectives Define tumor

Neoplasia II: Tumor Characteristics Tumor Characteristics Lecture Objectives Define tumor differentiation, and explain the difference between well-differentiated, moderately-differentiated, and poorly-differentiated tumor cells. Define

465 views • 45 slides
Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~#

Insecure Direct Object Reference IDOR ( Broken Access Control ) IDOR ( Broken Access Control ) ~# whoami Eric Biako Bsc. IT, CEH v9 Information security officer @ E-connecta Moderator @ https://legalhackmen.com IDOR ( Broken Access Control )

517 views • 12 slides

More recommend