1 Marianne Winslett / POLICY 2007 Policy-driven Distributed University of Illinois Marianne Winslett Status and Prospects Authorization: (sanitized version)
2 A tale of two trends Marianne Winslett / POLICY 2007
3 Organizational boundaries used to be solid Marianne Winslett / POLICY 2007
4 Now boundaries are fuzzy Why? Marianne Winslett / POLICY 2007
5 Competitive pressures are dissolving boundaries Who It Supplies Who It Supplies Organization Organization Partner Partner Partner Partner Partner Partner Partner Partner Who Supplies It Who Supplies It Marianne Winslett / POLICY 2007
6 Example: supply chains Walmart Walmart Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier Supplier 2 nd level 2 nd level 2 nd level 2 nd level 2 nd level 2 nd level Supplier Supplier Supplier Supplier Supplier Supplier Marianne Winslett / POLICY 2007
7 Example: first responders EOC EOC Police Fire Police Fire Medical Public Red Medical Public Red Transit Cross Transit Cross Illinois School Chemical Illinois School Chemical Railroad District Owner Railroad District Owner Marianne Winslett / POLICY 2007
8 Example: any large enterprise Organization Organization Japanese Division European Division Japanese Division European Division US Division US Division Accounting Accounting Accounting Accounting Accounting Accounting HR HR HR HR HR HR Product Product Product Product Product Product Line 1 Line 1 Line 4 Line 7 Line 4 Line 7 Product Product Product Product Product Product Line 8 Line 2 Line 5 Line 8 Product Line 2 Line 5 Product Product Product Product Line 6 Product Line 6 Line 3 Line 3 Line 9 Line 9 Marianne Winslett / POLICY 2007
9 Distinction between insiders and outsiders becomes unclear Organization Marianne Winslett / POLICY 2007
10 Corporations are also facing new pressures for accountability Marianne Winslett / POLICY 2007
11 Accountability includes knowing who can/did do what to your data when Marianne Winslett / POLICY 2007
12 Industry is taking several steps to meet these needs Strong authentication (X.509) Centralize role definitions, base on attributes Get access control out of apps (some day) Emp3 Emp2 Emp Emp4 SAP Access Policy CRM SAP ERP Access Access Access Policy Policy Emp1 Policy Marianne Winslett / POLICY 2007
13 So enterprises are moving toward attribute-based access control HR Based off centralized LDAP + X.509 HR HR HR Avoids inconsistency due to distribution Easier to maintain, compared to ACLs HR HR Walmart Walmart Walmart’s supplier Walmart’s supplier Walmart’s supplier’s Walmart’s supplier’s supplier supplier Less insider threat Marianne Winslett / POLICY 2007
14 Doesn’t this sound like a good thing? Marianne Winslett / POLICY 2007
15 Why this scares me: Automated exploitation of policy errors Marianne Winslett / POLICY 2007
16 Why this scares me: Cent ralized aut horizat ion services can be at t acked Marianne Winslett / POLICY 2007
17 Why this scares me: Understanding policies Industrial policy languages were not int ended for rigorous analysis or user- friendliness Analysis tools Marianne Winslett / POLICY 2007
18 Do things look more promising outside of industry? Bilateral trust Sensitive policies and credentials We understand this theory pretty well Marianne Winslett / POLICY 2007
Trust-negotiation-like approaches will 19 inevitably come into use Beijing Office Alice’s Network TrustBuilder Authorization Security Server’s TrustBuilder Agent Security Agent Authorization Server receives Alice’s LAN access request C I Auth. Server discloses access policy (on- s c o site access for WidgetCorp employees only) 4 o h c c s C I a t P Alice discloses her policy for C I s c o disclosing her WidgetCorp employee ID Patch 4 Auth. Server discloses its patch Patch 4 level credential, proves ownership C I s c o Alice discloses her employee Patch 4 C I s c o ID, proves ownership Auth. Server grants access to certain portions of LAN Marianne Winslett / POLICY 2007
20 But this only means more policies, more complex decisions to explain “ Ohhhhhhh . . . Look at t hat , Schust er . . . Dogs are so cut e when t hey t ry t o comprehend quant um mechanics” --Gary Larson Marianne Winslett / POLICY 2007
21 Traditional access control is transparent; TN is not You are in the right group Marianne Winslett / POLICY 2007
22 Great ideas can fail if they don’t consider the human factor The success of at t ribut e-based policies for securit y and privacy, and ult imat ely t he open and compliant syst ems t hey enable, relies on t he abilit y of humans to comprehend and manage these policies. Marianne Winslett / POLICY 2007
23 Policy HCI is my #1 open problem Real-world case studies of policy management activities, to learn how users think about these activities User interfaces to help people understand and modify large, complex sets of policies Marianne Winslett / POLICY 2007
24 Example: Allegis policy middleware company Software for cross-organizational access to customer relationship management applications Allegis does not allow its clients to update their policies themselves Only policy specialists can be trusted to understand and update the policies correctly Even they may struggle to specify, modify, and comprehend complex policies--- note CRM focus Marianne Winslett / POLICY 2007
25 Large policies are as complex as any software Declarative policy languages are not a panacea Consider hundreds of pages of (declarative) SQL SELECT a1.Name, a1.Sales, SUM(a2.Sales)/(SELECT SUM(Sales) FROM Total_Sales) Pct_To_Total FROM Total_Sales a1, Total_Sales a2 WHERE a1.Sales <= a2.sales or (a1.Sales=a2.Sales and a1.Name = a2.Name) GROUP BY a1.Name, a1.Sales ORDER BY a1.Sales DESC, a1.Name DESC; … And any bugs may be found and exploited automatically Marianne Winslett / POLICY 2007
26 What if companies manage their own policies, as is natural with ABAC? How can a decision-maker with limited technical expert ise quickly underst and a part icular policy t hat suddenly becomes crucial? What if the company’ s policy admin quits or is sick? How can a new hire quickly underst and policies? Ordinary users: Why was t his decision made? How can I get it reversed? What if I … Marianne Winslett / POLICY 2007
27 A proof is not an explanation Proofs are fundamental in TN But almost no one can understand a proof Need heuristics to turn proofs into explanations, both for ordinary users and administrators An explanation of why you didn’ t get access, or how to get access, or what these policies say, doesn’ t start from a proof Marianne Winslett / POLICY 2007
28 A possible solution: visual metaphors Context sensitive menus could be used to set temporal and other related constraints, indicated with small icons File Edit Actions Window Subject Request Resource Entity Roles Credentials * Gurtner Resources Nurse Doctor Demographic Prescription Nurse Doctor Policies conceal ** control Adam ... Patient Administrator Lab report X-ray Patient Administrator Users Conceal Release Visual View The patient, Adam, wants to conceal Conceal-request(Jay, [(X-Ray, 5/2003, 7/2003)], Dr_Gupta, 5/2003) prescriptions after May 2006* and lab reports after June 2006** from Dr. Gurtner [his Conceal-request(Ragib, [(Demographic)], Dr_Snir, 8/2000) previous physician]. Conceal-request(Adam, [(Lab_Report, 6/2006), Adjustable borders allow the (Prescriptions, 5/2006)], Dr_Gurtner, NOW) source code and explanation windows to be selectively Conceal-request(Megan, [(Prescriptions, 1/2005)], Dr_Nelson, 12/2004) positioned or closed Source Code Explanation Figure . Early design schematic for a visual interface for managing security policies. Marianne Winslett / POLICY 2007
29 A possible solution: use AI to convert proofs into explanations Marianne Winslett / POLICY 2007
30 Policy analysis is the #2 open problem We need to develop tools for analyzing large sets of policies Safety Availability What-if? Why? both for policy administrators and ordinary users even in heterogeneous systems. Challenges #1 & #2 should keep us busy for the next decade! Marianne Winslett / POLICY 2007
31 Lack of real-world experience is challenge #3 Cassandra health care policies Shibboleth installations--- but only one-shot unilateral trust, with a closed set of organizations We need more feedback from the real world to ensure that we are addressing the most important problems in policy-based authorization! Marianne Winslett / POLICY 2007
32 Vulnerability to attack is #4 Cent ralized aut horizat ion servers are attractive target TN is heavyweight � DDoS is so easy Marianne Winslett / POLICY 2007
33 TN is heavyweight Multiple rounds of exchange ? ? ?? ? ? ?? ? ? ? ? (Nested) third-party Complex decision making processes interactions Expensive crypto ?? ?? This is a liability . Solutions will require a multi-faceted ? ? approach. Marianne Winslett / POLICY 2007
Recommend
More recommend