Access control models are usually static, i.e., permissions are granted based on a policy that only changes seldom. Especially for scenarios in health care and disaster management, a more flexible support of access control, i.e., the underlying policy, is needed.
Break-glass is one approach for such a flexible support of policies which helps to prevent system stagnation that could harm lives or otherwise result in losses. Today, break-glass techniques are usually added on top of standard access control solutions in an ad-hoc manner and, therefore, lack an integration into the underlying access control paradigm and the systems' access control enforcement architecture.
We present an approach for integrating, in a fine-grained manner, break-glass strategies into standard access control models and their accompanying enforcement architecture. This integration provides means for specifying break-glass policies precisely and supporting model-driven development techniques based on such policies.
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Extending Access Control Models with Break-glass
1. Extending Access Control Models with
Break-glass
Achim D. Brucker Helmut Petritsch
{achim.brucker, helmut.petritsch}@sap.com
Vincenz-Priessnitz-Str. , Karlsruhe, Germany
ACM Symposium on Access Control Models and Technologies
(SACMAT )
Stresa, Italy, th June
2. Outline
Motivation
Break-glass: The Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
3. Motivation
Our Vision
Assume,
we are a nurse
trying to access the patient record of Peter Meier ...
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
6. Motivation
Break-glass or Overriding Access Control
While often motivated with
health care or
public security
scenarios, also enterprises demand break-glass solutions:
for preventing stagnation on the system administration level and
for preventing stagnation on the business process level.
In fact, state of the art enterprise systems support break-glass, e.g.,
Virsa Firefighter for SAP,
Oracle’s Role Manager.
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
7. Motivation
The Situation Today
Mostly implemented using pre-staged accounts that are
either stored in sealed covers or
electronically issued on request.
Break-glass solutions should cover
the creation of break-glass accounts,
the distribution pre-staged accounts,
the monitoring of the use of break-glass accounts, and
the cleanup after an break-glass situation.
This solution is
quite coarse-grained and
not integrated into regular access control.
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
8. Outline
Motivation
Break-glass: The Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
9. Break-glass: The Main Idea
Observations and Goals
During discussions with end users, we observed:
depending on the situation, different overrides can be justified
some restrictions can never be overridden
The two main design goals are:
access-control decisions should be overrideable on a per
permission basis and
fine-grained configuration of the restrictions that can be
overridden.
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
10. Break-glass: The Main Idea
Emergeny Levels
Definition
A policy p refines a policy p′ (written p ⊑ p′) if and only if the set of
system traces that are allowed under p is a subset of the system traces
that are allowed under p′.
A policy p refines a policy p′ iff p is at least as restrictive as p′.
p⊺ is the policy that allows all actions and
p– is the policy that denies all actions.
p– refines all policies and every policy is a refinement of p⊺.
PA be the set of all policies of the access control model A.
(PA, ⊑, p–, p⊺) is a lattice.
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
11. Break-glass: The Main Idea
Regular Policies and Emergeny Policies
Definition
We refer to the regular policy, i. e., the policy that should be obeyed in
normal operations, as preg and we refer to the set of policies that are
refined by the regular policy, i. e.,
LA = {p ∣ p ∈ PA ∧ preg
⊑ p ∧ p ≠ preg
}
as emergency levels or emergency policies of the policy preg. We require
that (PA ∖ p–, ⊑, preg, p⊺) is a lattice, i. e., inf(PA ∖ p–) = preg.
An emergency level can be active or inactive.
Only active emergency levels contribute to the access control
decision.
The regular policy is always active.
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
12. Break-glass: The Main Idea
Hierarchical Break-glass Access Control
An access that is only granted by an
emergency policy ℓ ∈ LA is called
override access.
Override accesses are only granted if
there is an active policy granting
access.
Obligations can be attached to an
(emergency) policy, i.e., requiring
user confirmations or for activating
monitoring.
By evaluating the policies in
topological order, the refinement
relation holds by construction!
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
13. Outline
Motivation
Break-glass: The Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
14. A Generic Architecture Supporting Break-glass
Break-glass Architecture: Main Idea
The break-glass policy combination strategy can be
implemented by a meta PDP.
The Break-glass PDP implements the break-glass policy
combination strategy on top of existing PDPs
User confirmations can be implemented using obligations:
the various PDPs need to support obligations
the various PEPs need to support obligations
the user interface needs to support confirmation requests
Break-glass does not impose restrictions on the underlying
access control model!
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
15. A Generic Architecture Supporting Break-glass
A Generic Break-glass Architecture
User Interface Confirmation Handler
Obligation
Support
Protected
Resource
PEP
Break-glass
PDP
Single
Sign-on
Existing
PDP(s)
Obligation Support
Policy Manager
Authentication
1
4
2
3
3
3a
3b
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
16. Outline
Motivation
Break-glass: The Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
17. Extending Model-driven Security
The Model-driven Security Vision
A Tool-supported and Security-aware Formal Model-driven Engineering Process
1..∗
Role
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Model Transformation
Design
Phase Phase
Verification and
Code−generation Phase Deployment Phase
Testing and
UML/OCL
(XMI)
or
SecureUML/OCL
Code
Generator
Repository
Model
(su4sml)
Model−Analysis
and Verification
(HOL−OCL)
Transformation
Model
HOL−TestGen
ArgoUML
AC
Config
C#
+OCL
Test
Harness
manual
Code
Proof
Obligations
Test Data
Program
Generation
Validation
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
18. Extending Model-driven Security
The Model-driven Security Vision
A Tool-supported and Security-aware Formal Model-driven Engineering Process
1..∗
Role
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Model Transformation
Design
Phase Phase
Verification and
Code−generation Phase Deployment Phase
Testing and
UML/OCL
(XMI)
or
SecureUML/OCL
Code
Generator
Repository
Model
(su4sml)
Model−Analysis
and Verification
(HOL−OCL)
Transformation
Model
HOL−TestGen
ArgoUML
AC
Config
C#
+OCL
Test
Harness
manual
Code
Proof
Obligations
Test Data
Program
Generation
Validation
Generic
SecureUML
ArgoUML−plugin
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
19. Extending Model-driven Security
The Model-driven Security Vision
A Tool-supported and Security-aware Formal Model-driven Engineering Process
1..∗
Role
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Model Transformation
Design
Phase Phase
Verification and
Code−generation Phase Deployment Phase
Testing and
UML/OCL
(XMI)
or
SecureUML/OCL
Code
Generator
Repository
Model
(su4sml)
Model−Analysis
and Verification
(HOL−OCL)
Transformation
Model
HOL−TestGen
ArgoUML
AC
Config
C#
+OCL
Test
Harness
manual
Code
Proof
Obligations
Test Data
Program
Generation
Validation
Transformations:
SecureUML −> UML/OCL
UML/OCL −> UML/OCL
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
20. Extending Model-driven Security
The Model-driven Security Vision
A Tool-supported and Security-aware Formal Model-driven Engineering Process
1..∗
Role
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Model Transformation
Design
Phase Phase
Verification and
Code−generation Phase Deployment Phase
Testing and
UML/OCL
(XMI)
or
SecureUML/OCL
Code
Generator
Repository
Model
(su4sml)
Model−Analysis
and Verification
(HOL−OCL)
Transformation
Model
HOL−TestGen
ArgoUML
AC
Config
C#
+OCL
Test
Harness
manual
Code
Proof
Obligations
Test Data
Program
Generation
Validation
Code Generator
SecureUML, UML, OCL
Java, C#, Junit, XACL, USE, ...
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
21. Extending Model-driven Security
The Model-driven Security Vision
A Tool-supported and Security-aware Formal Model-driven Engineering Process
1..∗
Role
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Model Transformation
Design
Phase Phase
Verification and
Code−generation Phase Deployment Phase
Testing and
UML/OCL
(XMI)
or
SecureUML/OCL
Code
Generator
Repository
Model
(su4sml)
Model−Analysis
and Verification
(HOL−OCL)
Transformation
Model
HOL−TestGen
ArgoUML
AC
Config
C#
+OCL
Test
Harness
manual
Code
Proof
Obligations
Test Data
Program
Generation
Validation
HOL−OCL
formal analysis
formal verification
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
22. Extending Model-driven Security
The Model-driven Security Vision
A Tool-supported and Security-aware Formal Model-driven Engineering Process
1..∗
Role
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Model Transformation
Design
Phase Phase
Verification and
Code−generation Phase Deployment Phase
Testing and
UML/OCL
(XMI)
or
SecureUML/OCL
Code
Generator
Repository
Model
(su4sml)
Model−Analysis
and Verification
(HOL−OCL)
Transformation
Model
HOL−TestGen
ArgoUML
AC
Config
C#
+OCL
Test
Harness
manual
Code
Proof
Obligations
Test Data
Program
Generation
Validation
HOL−TestGen
model−based unit test
sequence testing
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
23. Extending Model-driven Security
The Model-driven Security Vision
A Tool-supported and Security-aware Formal Model-driven Engineering Process
1..∗
Role
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Class
+ Public Method
# Protected Method
attribute: Type
− Private Method
Model Transformation
Design
Phase Phase
Verification and
Code−generation Phase Deployment Phase
Testing and
UML/OCL
(XMI)
or
SecureUML/OCL
Code
Generator
Repository
Model
(su4sml)
Model−Analysis
and Verification
(HOL−OCL)
Transformation
Model
HOL−TestGen
ArgoUML
AC
Config
C#
+OCL
Test
Harness
manual
Code
Proof
Obligations
Test Data
Program
Generation
Validation
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
24. Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource
0..* 0..* 1..* 0..* 0..* 1..* 0..*
0..*
0..*
0..* 0..* 0..*
0..1 0..*
0..*
SecureUML
is a UML-based notation,
provides abstract Syntax given by MOF compliant metamodel,
is pluggable into arbitrary design modeling languages,
is supported by an ArgoUML plugin.
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
25. Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource
0..* 0..* 1..* 0..* 0..* 1..* 0..*
0..*
0..*
0..* 0..* 0..*
0..1 0..*
0..*
Policy Obligation
1..*
0..*
1..* 0..*
0..*
0..*
SecureUML
is a UML-based notation,
provides abstract Syntax given by MOF compliant metamodel,
is pluggable into arbitrary design modeling languages,
is supported by an ArgoUML plugin.
can easily be extended with support for break-glass.
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
26. Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecord
disease:String
medication:String
read():OclVoid
update():OclVoid
create():OclVoid
Patient
name:String
0..*
owner 1
«secureuml.role»
UserRole
«secureuml.role»
AdministratorRole
«secureuml.permission»
OwnerMedicalRecord
MedicalRecord:read
MedicalRecord:update
MedicalRecord:delete
caller=self.owner.name
«secureuml.policy»
LowEmergencyLevel
«secureuml.policy»
HighEmergencyLevel
«secureuml.permission»
EmergencyOwnerMedicalRecord
MedicalRecord:read
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
29. Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML, we can generate
the policies and
the PDP configuration.
In particular, we
sort the policies topological,
use the “first-applicable” combining algorithm of XACML, and
exploit the obligations support of XACML.
With respect to the application, we generate
(stubs of) the business logic,
the calls to PDP, and
the PEP.
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
30. Outline
Motivation
Break-glass: The Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
31. Conclusion and Future Work
Conclusion and Future Work
We presented a
a generic break-glass model that allows the fine-grained,
overriding of access control decisions,
an generic architecture for implementing break-glass,
an extension of SecureUML supporting break-glass, and
the mapping of break-glass to XACML
Future work includes the integration and development of
analysis techniques for user providing feedback to the user,
break-glass concepts for IT compliance, and
techniques for a posteriori analysis of incidents.
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
33. Bibliography
Bibliography
Achim D. Brucker and Helmut Petritsch.
Extending access control models with break-glass.
In ACM symposium on access control models and technologies (SACMAT), pages
–. ACM Press, .
A.D. Brucker and H. Petritsch (SAP Research) Access Control Models with Break-glass SACMAT