Community Educational Online Seminar Series on IT Security
January 11 2016, 9-10AM PDT, 5-6PM GMT, 6-7PM CET, Presenter: Dr.Ulrich Lang, CEO
Access control implementation is critical but increasingly complex. In this purely educational community webinar, which was also held as a 2-hour seminar at ToorCon 2015, we covered that traditional approaches are often insufficient; new approaches available; and which ones to use for which environment.
- UNDERSTAND THE PROBLEM that Access Control (“AC”) implementation today is frequently inadequate, not well-understood, and confusing:
- On the one hand, security requirements are usually pretty stringent (on paper), e.g. access based on the “minimum necessary” (“least privilege”) etc. – but little/no implementation guidance is provided.
- On the other hand, AC implementations are based on simplistic, coarse-grained policy models (e.g. pure identity-based, role-based etc.) because they are manageable (*BUT* usually do not adequately implement the requirements, often resulting in vast overprovisioning of access and lack of access auditability).
- AC BACKGROUND: present a brief history of AC (incl. e.g. MAC, DAC, RBAC, IBAC, authorization token-based AC -ZBAC).
- IMPACT OF TODAY’S/TOMORROW’s ENVIRONMENTS on AC implementations:
- IT landscape impacts for IoT, big data analytics, cloud, mobile, SOA etc. incl. large scale (many systems, and a lot of data), rapid/dynamic change, “super-interconnectedness” etc.
- Business environment impacts incl. complex multi-stakeholder trust boundaries (esp. in cloud and often IoT).
- IMPACT OF TODAY’S POLICIES: Today’s policy requirements are often highly complex, e.g. based on contextual dynamic access based on many deciding factors. We cover examples of security, privacy & data protection requirements that impact AC implementation.
- NEW/EMERGING APPROACHES: present numerous state-of-the-art and emerging AC implementation approaches, incl. attribute-based AC, proximity-based AC, risk-adjusted AC RadAC, health-based AC, business-process-based AC, graph-based AC and various newer AC policy management approaches and many more (w. basis in scientific literature).
- WHICH APPROACH FOR WHICH USE CASE: present an analysis which AC approaches are most suitable for which environments/requirements: Examples (a) proximity-based AC together with attribute-based AC and a highly distributed enforcement architecture that controls information flows between nodes (e.g. systems) is often best for IoT/IIoT. (b) history-based AC and attribute-based AC with semantic data labeling and centralized access decision-making at the data store is often preferable for big data analytics. We present experiences gained from case studies of multi-partner research projects (EU FP 7 ICSI for (a), and EU FP7 VALCRI for (b)).
- REALITY CHECK/CONCLUSION: Summarize main take-home messages and recommendations, references.
This online seminar was purely educational. We did a deep-dive into various technical access control technologies and look at how to implement them as an engineer or security professional. Our goal is to educate about these topics so that hopefully our industry can move forward and provide more effective security. Right now the industry I obviously largely failing…and most security people don’t even realize that they have the access control technical implementation problems they have, and also are not aware of leading-edge access control approaches and tools. So this is definitely going to be educational!
– this webinar is now full –
Please contact us to get on the list for the next one.