Engineering Access Control for Distributed Enterprise Applicat

Document Sample
Engineering Access Control for Distributed Enterprise Applicat Powered By Docstoc
					 Engineering Access Control for
Distributed Enterprise Applications

                        Konstantin Beznosov
      Center for Advanced Distributed Systems Engineering
                   School of Computer Science
              Florida International University, Miami
                 http://www.cs.fiu.edu/~beznosov
         Main Contribution

    An approach that enables a
      comprehensive solution for
controlling access to the resources of
  distributed enterprise applications




                                         2
                         Outline

• Introduction
   – What is access control?
   – Problem Statement
• Controlling access at middleware level
   – CORBA protection state configuration
   – Supporting RBAC in CORBA Security
• Controlling access at application level
   – RAD architecture
   – CAAS -- CORBA-based RAD prototype
   – Performance measurements
• Conclusions

                                            3
Introduction
                           Conventional Computer Security
                                                                Preventing bad things
                                                                   from happening
Protection from
 breaking rules
                                              Protection                                                    Assurance




                                                                                                                               Development Assurance


                                                                                                                                                       Operational Assurance
         Authorization                         Accountability      Availability




                                                                                                            Design Assurance
                                                                   Service Continuity
          Access Control




                                                                                        Disaster Recovery
                            Data Protection




                                                   Audit



                                                  Non-
                                               Repudiation


    enforces the rules,
 when rule check is possible                                                                                                                                                   5
                                   Access Control
                                                                             Object Security
    Subject Security Attributes                                                Attributes
      id=Alice                                  Authorization               type=patient_record

    role=physician
                     clearance=Y                Rule Database               classification=Z
                 group=depX                                                      owner=Bond
                                   Action Attributes        Authorization
                                      name=read              Decisions

                                              Reference
  Subject                             actions monitor
 Privilege                                        decision/enforcement
                                                                            Objects
 Attributes          Subjects                 Access Control
                                                Mechanism

Rule Example: “subject physician can do action read on object patient record”
                                                                                                  6
Problem Statement
               Driving Forces



 Functional                     Architectural
Requirements    Problem         Requirements




                                                8
                               System Perspective
   Specific to Application Domain                          Request-specific
 Subject Security Attributes       Is attending physician?
                role=physician
                                                                    Object Security
  id=Alice
                                                                      Attributes
                                                                       owner=Bond
                               Context     Authorization
                                                                   type=patient_record
      Not                      sensitive   Rule Database
                                                                  subtype=current_episode
   managed
  by security                                     Authorization
                     Emergency                     Decisions
   admin-s
                                            Reference                           Fine
                                     actions monitor                            grain
 Subject Non-security                                        Objects
                         Subjects          Access Control
      Attributes
      age=40                                 Mechanism
“subject attending physician can do action read on object current episode sensitive
   records of the patient”                    complex                                       9
      Functional Requirements Summary

•   Application-specific authorization policies
•   Fine-grain resources
•   Application- and request-specific information
•   Workflow context (e.g. emergency context)
•   Non-security information
•   Complex policies




                                                    10
                Enterprise Perspective
             (Architectural Requirements)
• Constraints
   – amount of change
   – existing information infrastructure reuse
• Objectives
   –   change containment
   –   reduce the maintenance and re-alignment cost
   –   scalable with the increase in the number of deployed applications
   –   policy consistency across enterprise applications




                                                                           11
               Problem Statement

No adequate support for controlling access to
 –   fine-grain application resources,
 –   according to the application-specific policies, and
 –   using application-specific information, while
 –   supporting the objectives of the information
     enterprise architectures




                                                           12
                  Available Solutions

• Embed AC logic into applications
   +   fine granularity
   +   application-specific policies and information
   –   applications expensive to develop, evolve, and own
   –   no cross-application consistency
   –   non-scalable
• Use (CORBA) middleware AC
   +   scalable, external AC, cross-application consistency
   +   inexpensive to develop, evolve, and own
   –   coarse granularity
   –   generic policies and information

                                                              13
                The Approach
1. Address the problem as much
as possible using standard
middleware




                        2. Address the rest of the
                        problem with application-
                        level authorization service

                                                      14
Controlling Access at Middleware Level
Controlling Access Using RBAC/CORBA:
              Contributions
• Defined
  – CORBA protection system configuration (CPSC)
     • Provides precise language for authorization modeling in
       CORBA
  – Authorization algorithm
     • defines formally authorization decisions in CORBA
• Showed that Role-based Access Control (RBAC)
  models can be implemented using CORBA Security
  – Translated RBAC0-RBAC3 definitions into CPSC language
  – Identified what and how needs to be implemented in CORBA
    Security for it to support RBAC0-RBAC3 models

                                                                 16
    Controlling Access Using RBAC/CORBA:
                   Motivations
Why CORBA                             Why RBAC
+ External access control             + Facilitates access control
+ Open industry standard                administration and review
+ Heterogeneous systems               + Scalable
+ Scalable                            + Policy-neutral
+ Fine-grain (method-level) control   + Supports main principles
+ Meets architectural requirements       † least privilege
                                         † separation of duties
                                         † data abstraction
                                      + Supersedes DAC and MAC
                                      + Popular


                                                                     17
Controlling Access at Application Level
    Resource Access Decision Service
                                                                                            - Centralized Admin.
                                                                                            - Cross-application
                                                                                            consistency




    Client                               AS                                  RAD




              1. Application Request                 2. Authorization request

             4. Reply to application request       3. Reply to authorization request

                                          Middleware
Application Client                   Application                            Authorization
                                      System                                   Service

                                                                                       Decoupling authorization
                                                                                       and application logic

                                                                                                                   19
                         RAD Architecture
                                        Application System


                                                 1: access_allowed


                                         Access Decision
                                             Object
2: get_policy_decision_evaluators
                                                                 4: combine_decisions

              Policy
                                                                DecisionCombinator
           EvaluatorLocator


                                    3: get_dynamic_attributes             5: * evaluate

              DynamicAttributeService

                                                             PolicyEvaluator



      RAD
                                                                                          20
                    RAD Features

•   Authorization and application logic separated
•   Minimum application involvement
•   Fine-grain authorization
•   Request- and application-specific information
•   Policy-neutral
•   Adaptable and reconfigurable
•   Uses underlying middleware and its security




                                                    21
         Issues and Questions to Address

• How design and implement RAD service
   – flexible (responsive to the changes in policies and conditions)
   – extendable (capable of accommodating new functionality)
   – portable
• Performance implications?




                                                                       22
CORBA-based Application Authorization Service - CAAS




   Client
    Client          AS
                     AS              CAAS            Naming
     Client           AS              CAAS


                      CORBA ORB



      Feasibility, Design, Performance, Policy modeling

                                                          23
                    Configurations for Performance
                            Measurements
                             Communication path -- main factor
                     Process/Object                                                         Process/Process

                       Application      Authorization                                      Application    CAAS Authorization
                        Process            Process                                          Process           Processes
     CLIENT




                                                                           CLIENT
                                                                                                                     DAS   DC
                                          CAAS                                                             ADO
                                                                                                                     PEL    PE

Client Host               Server Host                           Client Host                        Server Host

                Object=function call                                                process=process+ORB

                     Host/Object                                                       Host/Process/PE-Host
                                                                                                      CAAS
                       Application         Authorization                             Application    Authorization        PE
                                                                                      Process                          Process



                                                                  CLIENT
                        Process              Process
       CLIENT




                                                                                                     Processes
                                                                                                          DAS
                                              CAAS                                                  ADO         DC         PE
                                                                                                          PEL


 Client Host           Server Host       Authorization Host   Client Host            Server Host   Authorization Host PE Host


                                             Host=process+ORB+network
                                                                                                                                 24
 Performance Measurements Objectives

• Quantify implications on performance
• Identify factors affecting the performance
• Identify application groups matching the performance
  requirements




                                                         25
How Challenging Performance-wise to
 Use RAD with Various Applications
                                    Authorization Service Usage
                                 (app. logic time between requests)
Limitations on         Intensive            Medium               Mild
response latency     (10ms or less)     (between 100ms       (10s or more)
inscrease                                   and 1s)
Strict             Authorization and      CAAS              Any configuration or
(5% or less)       appli cation           components in     location
                   functions located in   one process
                   one process
Medium             1.CAAS                 Any configuration Any configuration or
(between 10%       components in one      or location       location
and 30%)           process
                   2.CAAS and
                   applica tion on the
                   same host
Lax                Any configuration      Any configuration Any configuration or
(over 30%)         or location            or location       location

                     Very Difficult Difficult Medium Easy

                                                                                   26
                         Summary
Proposed an approach for controlling access to the
  resources of distributed enterprise applications
• CORBA Security
   – CORBA protection system configuration and authorization
     decision algorithm
   – RBAC/CORBA framework
• Authorization Service Architecture
   – Features
      • Decoupling application and authorization logic
      • Centralized scalable administration
      • Dynamic reconfiguration
      • Support for application-specific policies and information
        in application-independent way
   – Studied design, policy modeling and performance
                                                                    27
                                  Related Publications
•   Modeling RBAC with CORBA Security
     +   K. Beznosov and Y. Deng, “A Framework for Implementing Role-based Access Control Using CORBA Security
         Service,” Fourth ACM Workshop on Role-Based Access Control, Fairfax, Virginia, USA, 1999.
•   Access control at application level
     +   K. Beznosov, Y. Deng, B. Blakley, C. Burt, and J. Barkley, “A Resource Access Decision Service for CORBA-based
         Distributed Systems,” Annual Computer Security Applications Conference, Phoenix, Arizona, USA, 1999.
     *   OMG, “Resource Access Decision Facility: Revised Proposal,” Object Management Group, document number:
         corbamed/99-05-04, May 1999.
     +   K. Beznosov, L. Espinal, and Y. Deng, “Performance Considerations for CORBA-based Application Authorization
         Service,” In Proceedings of the Fourth International Conference on Software Engineering and Applications (pending
         acceptance), Las Vegas, Nevada, November 6-9 2000.
     +   Y. Deng, J. Wang, K. Beznosov and J. J. P. Tsai. “An approach for modeling and analysis of security system
         architectures,” submitted to IEEE Transactions on Knowledge and Data Engineering, 2000.
     –   L. Espinal, K. Beznosov, and Y. Deng, “Design and Implementation of Resource Access Decision Server,” Center for
         Advanced Distributed Systems Engineering, FIU, Miami, Technical Report 2000-01, January 2000.
•   Relationships in access control
     +   J. Barkley, K. Beznosov, and J. Uppal, “Supporting Relationships in Access Control Using Role Based Access Control,”
         Fourth ACM Role-based Access Control Workshop, Fairfax, Virginia, USA, 1999.
•   Access control in US healthcare domain
     –   K. Beznosov, “Issues in the Security Architecture of the Computerized Patient Record Enterprise,” Second Workshop
         on Distributed Object Computing Security, Baltimore, Maryland, USA, 1998.
     –   K. Beznosov, “Requirements for Access Control: US Healthcare Domain,” Third ACM Workshop on RBAC, 1998.
•   Information Enterprise Architecture
     –    K. Beznosov, “Architecture of Information Enterprises: Problems and Perspectives,” School of Computer Science,
          Florida International University, Miami, technical report 2000-06, June 2000.
     + referred, – non-referred, * specification
                                                                                                                                28
              Approaches to Application Access Control:
                           Policy Agents
                                                   Mechanism 1            • Accommodates existing body of
                            mapping 1    agent                            products and technologies
  Policies                                                                • Inherent fault tolerance
                                                   Application
                                                                 Access   • Enterprise security is naturally
                           map
                              ping
                                   2                                      compartmentalized
                                         agent                            • Nominal performance overhead
                  3
                  ng




                                                                          • High degree of run time autonomy
                   ppi
         gN




                                            Mechanism 2
                      ma
   mappin




                                                                          • How to map?!
                                            Application
                      agent                               Access          • Least expressive and most
                                                                          coarse-grain policy supported
agent                      Mechanism 3
                                                                          • Distribution of policy updates
Mechanism N
                           Application   Access      • J. Hale, P. Galiasso, M. Papa, and S. Shenoi,
                                                     “Security Policy Coordination for Heterogeneous Information
 Application
                                                     Systems,” Annual Computer Security Applications Conference,
               Access                                Phoenix, Arizona, USA, 1999.


                                                                                                                   29
    Approaches to Application Access Control: Proxies
                                                           • No changes to an application system
                                                           • External enforcement
                                                           • Reference monitor size is controlled

                                                           • Coarse granularity of access control

Access
                 Proxy Application                         • Decisions and enforcement outside of
                                                           application
              Enforce                                      • No application-specific enforcement
               ment                                        • Policy and authorization data consistency?
                          Policies


• DCOM, CORBA
• B. Hailpern and H. Ossher, “Extending Objects to Support Multiple Interfaces and Access Control,” IEEE
Transactions on Software Engineering, vol. 16, pp. 1247-1257, 1990.
• J. Barkley, “Implementing Role-based Access Control Using Object Technology,” The First ACM Workshop on Role-
Based Access Control, Fairfax, Virginia, USA, 1995.
• R. Filman and T. Linden, “SafeBots: a Paradigm for Software Security Controls,” New Security Paradigms Workshop,
Lake Arrowhead, CA USA, 1996.
• C. W. W.A. Wulf, and D. Kienxle, “A new model of security for distributed systems,” 1995.
• T. Riechmann and F. J. Hauck, “Meta Objects for Access Control: A Formal Model for Role-based Principals,” New
Security Paradigms Workshop, 1998.
                                                                                                                   30
                      Authorization Services:
            A Solution to Enterprise Application Security
                                                                      •    Access control decisions external to
                                                                           application
                                                                      •    Logically centralized administration of
                                                                           enterprise wide policies

Access
         Application Policy Decision Authorization Service            •    Simplified application development
                                                                      •    Any level of granularity
             Enforce                              Policies            •    Easy policy changes and updates
              ment
                                                                      •    Just is time authorization decisions

                                                                      •     Application system part of reference
                                                                            monitor
                                                                        •   Performance, fault tolerance, scalability,
                                                                            resource representation
  •   V. Varadharajan and C. C. a. J. Pato, “Authorization in Enterprise-wide Distributed System: A Practical
      Design and Application,” 14th Annual Computer Security Applications Conference, 1998.
  •   T. Y. C. Woo and S. S. Lam, “Designing a Distributed Authorization Service,” IEEE INFOCOM, San
      Francisco, 1998.
  •   R. Simon and M. E. Zurko, “Adage: An Architecture for Distributed Authorization,” OSF Research Institute,
      Cambridge 1997.

                                                                                                                     31
            RAD Configuration Example
                                          Application System


                                                   1: access_allowed


                                           Access Decision
                                               Object
2: get_policy_decision_evaluators
                                                                     4: combine_decisions

    Policy EvaluatorLocator
                                                                    Logical OR
                                                                    DecisionCombinator
 3: get_dynamic_attributes

                                                     5: evaluate                         6: evaluate
                  Relationships
                DynamicAttributeService
                                                             RBAC                   RelBAC
                                                       PolicyEvaluator           PolicyEvaluator
      RAD
                                                                                                       32
                                            Walk Through

AS                          ADO                           PEL                      DAS                      DC                 RBAC PE
                                                                                                                     role caregiver
     access_allowed({patient_id=29984329,record_part=PN}, read, { ser_id=g,role=caregiver, role=nurse})
                                                                u                                                    can read
                                                                                                                     patient_name
                                   get_policy_decision_evaluators({patient_id=29984329,record_part=PN})




                                                                                         {
                      get_dynamic_attributes({patient_id=29984329,record_part=PN}, read, user_id=g,role=caregiver,role=nurse})


                                                                                    u
                      combine_decisions({patient_id=29984329,record_part=PN}, read, { ser_id=g,role=caregiver,role=nurse }, {RBAC PE})


                                                                                            u
                                       evaluate({patient_id=29984329,record_part=PN}, read, { ser_id=g,role=caregiver,role=nurse })




                                                                                              RAD




                                                                                                                                         33
            RAD Features and Issues

• Features:
   – Centralized administration of access control mechanisms
   – Dynamic change of access control policies
   – Independent development and evolution of application and
     authorization services
   – Policy-neutral by encapsulating policy evaluation in independent
     policy evaluators
   – Support for domain/request-specific factors
• Major issues
   – Performance in terms of response time
   – Policy modeling




                                                                        34
  Extensibility via Design Patterns
         <<Interface>>                                                 <<IDL Interface>>
 DecisionCombinatorOperations                                         DecisionCombinator
                                                                     combine_decisions()



tie                                      Strategy
mechanism                                Pattern



   DecisionCombinatorContext                                              <<Interface>>
  DecisionCombinatorContext()                                      DecisionCombinatorStrategy
  combine_decisions()                      -strategy              makeDecision()
                                  0..*                     1..1


  Template
                             AbstractAndOrCombinator
  Method Pattern
                            shouldDeny()
                            makeDecision()




  OpenWorldAndOrCombinationPolicy                       ClosedWorldAndOrCombinationPolicy


  grant access if no PE returns "NO"                   grant access if all PE's return "YES"


                                                                                                35
                Flexibility Built into Architecture
                                                                                                                <<IDL Interface>>
                                                                                                                                         1              1..*     <<IDL Interface>>
                                                                                                                AccessDecision
                                           +admin                 <<IDL Interface>>                                                                            AccessDecisionAdmin
          <<IDL Interface>>                                                                                access_allowed()
   DynamicAttributeServiceAdminExt                           DynamicAttributeServiceExt                    multiple_access_allowed()           +admin




                    DynamicAttributeServiceContext
                                                                                                           ResourceAccessDecider              Component discovery
                                                    1..n          loads
                                                                                               1..1             1..n
                                                                                                        loads
                                                                             1..1     loader
                                                                   loads                                                   Loading components
                                                                              1..1               1..1
                          PolicyEvaluatorContext                                                                           in one process                         ObjectResolver
                                                                                      1..1
                                                           1..n

                                                                           loads                                loads


                                                                                                                          1..n
    <<IDL Interface>>       <<IDL Interface>>
                                                                             1..n
PolicyEvaluatorAdminExt      PolicyEvaluator
                              evaluate()               PolicyEvaluatorLocatorContext                             DecisionCombinatorContext
                                                                                                                                                                   resolves OR to




                                                                                                                         <<IDL Interface>>
                   <<IDL Interface>>                             <<IDL Interface>>
                                                                                                                        DecisionCombinator
            PolicyEvaluatorLocatorAdminExt                    PolicyEvaluatorLocator
                                                                                                                        combine_decisions()
                                                           get_policy_decision_evaluators()                                                                         COSNaming




                                                                                                                                                                                     36
                               Policy Evaluators Design
     <<IDL Interface>>                                                       <<Interface>>
     PolicyEvaluator                   <<IDL Interface>>
                                     PolicyEvaluatorExt              PolicyEvaluatorExtOperations
    evaluate()
                                                                                                                     PolicyEvaluatorContext

                                  +thePolicyEvaluatorAdminExt               tie
                                                                                                                    set_policies()
                                                                          mechanism
    <<IDL Interface>>                                                                                               add_policies()
 PolicyEvaluatorAdmin                                                                                               list_policies()
                                       <<IDL Interface>>                     <<Interface>>
set_policies()                                                                                                      delete_policies()
add_policies()                    PolicyEvaluatorAdminExt         PolicyEvaluatorAdminExtOperations                 evaluate()
list_policies()                  shutdown()
set_default_policy()                                                                                        1..1
delete_policies()                                                                                                           0..*
                                              Null Object                <<Interface>>
                                              Pattern            PoliciesByResourceNameMap 0..*
                                                                                                      Strategy
                                                                clear()
                                                                                                      Pattern
         NullPoliciesByResourceNameMap                          hasResourceName()
                                                                getPolicies()                                               1..1
                                                                isEmpty()
                                                                putPolicies()
                                                                                                                          <<Interface>>
                                                                removePolicies()
                                                                                                                    PolicyEvaluatorStrategy
                                                                                                                   evaluateUsingPolicy()
        RBACEvaluator                                                                                              areValidPolicies()
                                                                                                                   list_policies()
                                                                                                                   getDafultPolicy()



                        FileSystemPermissionsEvaluator                                                AlwaysGrantDenyAbstractEvaluator

                                                                        Template
                                                                        Pattern



UnixFileSystemPermisionsEvaluator             NtfsFileSystemPermissionsEvaluator             AlwaysDenyEvaluator          AlwaysGrantEvaluator
                                                                                                                                                 37
                       CAAS: Highly Configurable


                                                              Application      CAAS             PE
                                                                                              Process
     CLIENT




                            Process                            Process




                                                    CLIENT
                                                                              Processes
                   Application        CAAS                                         DAS
                                                                             ADO         DC     PE
                                                                                   PEL

Client Host               Server Host
                                                Client Host   Server Host   Authorization Host PE Host
          Reference Configuration                     Host/Process/PE-Host Configuration


•   Changeable and portable
       – e.g. provides both run-time interface for authorization and administrative
         interface for configuring CAAS components
•   Supports different types of policies
       – federations, multi-policy, relationship-based access control (RelBAC)



                                                                                                         38
Conducting Performance Measurements

                                 time t3
                                                                         App. Server
              Client
                                                                        External Auth.
                                 time t4                              Business Logic Delay
    time t2            time t1


      App. Server
     Embedded Auth.                                                           RAD
     Business Logic Delay

•      Measure response time perceived by the client: Temb= (t2 - t1) and T = (t4-t3).
•      Measure response time increase I=(T%Temb -1)*100
•      Repeat for 1ms, 10ms, 100ms, 1sec, 10sec business logic delays.
•      Repeat for 1, 10, 100, 1000 authorization requests.
•      Repeat for different configurations.
•      Conduct measurements under low network load (< 1%)


                                                                                             39
                             Performance Measurement Results
                                700

                                600
  Response Time Increase %



                                500

                                400

                                300

                                200

                                100

                                 0

                                100
                                      1        10                100              1000       10000
Process/Object                        32       10                 1                 0          0
Host/Object                           76       31                 4                 0          0
Host/Object/PE                        139      52                 7                 1          0
Host/Process                          533      188               26                 3          0
Process/Process                       529      200               27                 3          0
Host/Process/PE-Host                  633      211               30                 3          0
                                            Application Processing Time/Authorization (ms)




                                                                                                     40
A configuration of a CORBA system protection state is the thirteen-tuple (A, IM, O, R, D, C, RRM, DS, IDM,
    GRM, effective rights, combine, interface operation) interpreted as follows:
     –   A -- set of privilege attributes.
     –   IM -- set of operations uniquely identified by rights returned from effective rights for every domain interfaces that
         they are defined on.
     –   O is a set of distinguishable interface instances.
     –   R is the set of rights.
     –   D is the set of access policy domains.
     –   C = {all, any} is a set of rights combinators.
     –   RRM is the required rights matrix, with a row for every interface operation from IM and two columns. For the first
         column (Required Rights), we have . For the second column (Combinator), we have .
     –   DS = {i, d} is a set of delegation states.
     –   IDM is the matrix of domain membership for interface instances with a row for every domain from D and a
         column for every interface instance from O. We denote the contents of (D, O) cell of IDM by [D,O]. We have , .
     –   GRM is the granted rights matrix, with a row for every attribute from A and a column for every access policy
         domain from D. We denote the contents of the policy domain from D. We denote the contents of the .
     –   effective_rights: , a function mapping a set a1,a2,...al of privilege attributes (where ) in a domain to a set of rights
         r1,r2,...rp (where ) that are in effect for the given set of attributes.
     –   combine: a function mapping sets of rights returned from effective_rights for every domain in D the interface
         instance is a member of, to a set of effective rights.
     –   interface_operation: a function mapping an operation name m and an interface instance into an interface
         operation uniquely identified on the interface, which o implements.

                                                                                                                            41