autho horization rization mana nagement gement
play

Autho horization rization Mana nagement gement Bojan Suzic, - PowerPoint PPT Presentation

Oct 28, 2022 •134 likes •481 views

Struc ructuring turing the he Sco cope: e: En Enabling ing Adaptive ive and nd Multilat ltilateral eral Autho horization rization Mana nagement gement Bojan Suzic, Andreas Reiter and Alexander Marsalek Graz University of

  1. Struc ructuring turing the he Sco cope: e: En Enabling ing Adaptive ive and nd Multilat ltilateral eral Autho horization rization Mana nagement gement Bojan Suzic, Andreas Reiter and Alexander Marsalek Graz University of Technology, Austria This work is supported by A-SIT Secure Information Technology Center Austria and EU H2020 Programme under the SUNFISH project, grant No. 644666.

  2. Ove vervi view  Introduction and Motivation  Properties of Access Scopes  Integrated Authorization Management  Application in Use Scenario  Conclusion 2 SPC @ IEEE Conference on Communications and Network Security ◦ Las Vegas, USA ◦ October 11th 2017

  3. Introduction Cloud services expose their resources and operations using Web APIs Web APIs are applied to support core business of service providers How can be security aspects of service use and resource sharing be managed? Some issues: o Obstacles due to proprietary interfaces and hard-wiring o Interoperability of security controls across diverse organizations o Provider-centric management of security in the cloud o Capability of security controls Managing and coordinating security of our assets hosted at other providers? 3 Introduction

  4. Motivational Scenario eXample Inc. uses Zapier to automate its tasks Zapier connects data sources from Gmail and MailChimp on behalf of a customer Web APIs (REST) typically applied to expose and share resources Task: o Periodically retrieve and extract email senders from recent emails at Gmail o Add them as subscribers to a list at MailChimp on behalf of 4 Motivational Scenario

  5. Authorization in the Cloud Authorization: Zapier needs access to resources at both providers Typical case relies on OAuth 2.0 Web Authorization Framework – RFC 6749 Primary concepts in OAuth 2.0: o Resource owner, resource server, authorization server, client o Initiate authorization flow to obtain access credentials o Access token – most commonly used access credential o Access scope – determines the extent of permissions given to the agent 5 Motivational Scenario

  6. Authorization Flows Obtaining access token (initially) Authorization Server Retrieving resource or performing operations (repetitive) Access token Resource Server Protected resource The same flow is applied in the case of MailChimp as well 6 Motivational Scenario

  7. Obtaining Consent - Zapier Resource owner is presented with the interface to review and allow the permissions given to the client Permissions are abstracted as a scope Scopes requested by Zapier: o gmail.compose o gmail.modify Both scopes provide broad range of operations over all instances of subsumed resources 7 Motivational Scenario

  8. Obtaining Consent - MailChimp MailChimp does not apply scopes The given permissions include all operations over every resource No compartmentalization applied 8 Motivational Scenario

  9. Broad Permissions Requirements from use cases: o Gmail: (1) retrieving a list of recent messages and (2) the value of From: field from the header of these messages needed o MailChimp: (3) adding an entity to a particular subscriber list The problem with broad permissions : o Zapier allowed to retrieve and manage all messages in an account o This includes managing drafts, sending or temporarily deleting messages o Can execute any API operation at MailChimp Potentially leads to numerous security and privacy risks Applies to most integrations 9 Motivational Scenario

  10. Properties of Access Scopes Unilateral definition Invariable Established by the service provider Unstructured Designated as a predefined set Out-of-the-band Imposed to other entities Coupled Excluding resource owners and clients Context insensitive 10 Scope properties

  11. Properties of Access Scopes Unilateral definition Invariable Unstructured Statically determined Out-of-the-band Immutable sets of permissions Coupled Typically do not change in production Context insensitive 11 Scope properties

  12. Properties of Access Scopes Unilateral definition Invariable Unstructured Defined as opaque strings Out-of-the-band Cannot be decomposed Coupled Authorization extent cannot be derived Context insensitive Discovery of supported or provided authorizations not possible Dynamic definition not supported 12 Scope properties

  13. Properties of Access Scopes Unilateral definition Invariable Unstructured Out-of-the-band The scope extent communicated non-transparently Coupled Described in service documentation (for developers) Context insensitive Applications cannot interpret the scope 13 Scope properties

  14. Properties of Access Scopes Unilateral definition Invariable Unstructured Out-of-the-band Specific to the service Coupled May reflect business model or view of SP Context insensitive Cannot be decomposed Predefined set with built-in properties 14 Scope properties

  15. Properties of Access Scopes Unilateral definition Invariable Unstructured Out-of-the-band Coupled Cannot express attributes of resources, Context insensitive environment or involved parties The same parameters apply to all contexts (end-users, resources, target environment) 15 Scope properties

  16. Integrated Authorization Management Supporting integrated authorization management: Granular specification of authorizations Claiming acceptable constraints Context-dependent enforcement Selective and transformational sharing Scalable management 16 Integrated Authorization Management

  17. Contribution Defining management flows o Supporting cooperative and adaptive authorization management Defining supporting vocabularies o Describing requests, responses, contextual properties and resource restrictions o Describing access control and OAuth 2.0 entities Establishing authorization descriptor o Relies on vocabularies o Supports granular, instructive and expressive specification o Structuring authorization requirements and grants o Applicable beyond single organization 17 Integrated Authorization Management

  18. Management Flows Defining management flows: (1) ) Expos posing ng the servi rvice ce descripto criptor (2) Determining the request scope (3) Requesting authorization (4) Refining authorization extent (5) Transforming into security policy (6) Inspecting authorization descriptor Provider exposes service description Includes available resources, their structure and organization 18 Integrated Authorization Management

  19. Management Flows Defining management flows: (1) Exposing the service descriptor (2) ) De Determ rminin ining g the request uest scope pe (3) Requesting authorization (4) Refining authorization extent (5) Transforming into security policy (6) Inspecting authorization descriptor Client retrieves service model and decides the extent of required permissions Finding intersection between security and functional goals Considers exposed resources, applicable constraints and supported operations 19 Integrated Authorization Management

  20. Management Flows Defining management flows: (1) Exposing the service descriptor (2) Determining the request scope (3) ) Requesting uesting authori horiza zati tion on (4) Refining authorization extent (5) Transforming into security policy (6) Inspecting authorization descriptor Client generates authorization request Expresses its acceptable range of permissions and constraints Deliver request interactively or asynchronously 20 Integrated Authorization Management

  21. Management Flows Defining management flows: (1) Exposing the service descriptor (2) Determining the request scope (3) Requesting authorization (4) ) Refini ining ng authoriz orizat ation ion extent ent (5) Transforming into security policy (6) Inspecting authorization descriptor Resource owner inspects and refines the request Interactive request: inspected using owner’s client involved in the flow Asynchronous request: on the side of service provider 21 Integrated Authorization Management

  22. Management Flows Defining management flows: (1) Exposing the service descriptor (2) Determining the request scope (3) Requesting authorization (4) Refining authorization extent (5) ) Transforming ng into o secu curity rity policy cy (6) Inspecting authorization descriptor After consent by resource owner is obtained Server-side transformation into security policy Considers target system and environment 22 Integrated Authorization Management

  23. Management Flows Defining management flows: (1) Exposing the service descriptor (2) Determining the request scope (3) Requesting authorization (4) Refining authorization extent (5) Transforming into security policy (6) ) Inspecti ecting ng au authori horiza zati tion on descri criptor ptor Optionally providing authorization descriptor back to the client Allows the client to determine the degree of provided (redacted) permissions 23 Integrated Authorization Management

  24. Vocabularies Uses semantic vocabulary as a building block, establishing a formal, explicit specification of a shared conceptualization Explicitly defined concepts, properties, Machine- Consensual knowledge relations, functions, constraints, axioms understandable Abstract model and simplified view of some phenomenon Ω = (C, R, E, I) C – classes (unary predicates) R – relations (binary or higher predicates) E – explicit instances of classes and relations A - axioms 24 Integrated Authorization Management

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

PER ERFORMANCE ORMANCE MA MANA NAGEMENT GEMENT TRAINING SHAWNE WNEE E STATE TE UNIVE

PER ERFORMANCE ORMANCE MA MANA NAGEMENT GEMENT TRAINING SHAWNE WNEE E STATE TE UNIVE

PER ERFORMANCE ORMANCE MA MANA NAGEMENT GEMENT TRAINING SHAWNE WNEE E STATE TE UNIVE IVERSIT RSITY HUMAN MAN RES ESOUR OURCE CES S DEP EPARTMEN TMENT Agenda 2 Introduction & Background I. Expectations II. Orientation

635 views • 46 slides
Temp mporal Ma Mana nagement gement of of R RFID Da Data Peiya Liu and Fusheng Wang

Temp mporal Ma Mana nagement gement of of R RFID Da Data Peiya Liu and Fusheng Wang

Temp mporal Ma Mana nagement gement of of R RFID Da Data Peiya Liu and Fusheng Wang Integrated Data Systems Department Siemens Corporate Research Princeton, New Jersey 31st International Conference on Very Large Databases August 31,

646 views • 26 slides
Se Securit ity fr from om Pap aper to o Tak ake-Of Off Ma Mana nagement T Team Tony

Se Securit ity fr from om Pap aper to o Tak ake-Of Off Ma Mana nagement T Team Tony

Se Securit ity fr from om Pap aper to o Tak ake-Of Off Ma Mana nagement T Team Tony Gallo Managing Partner More than 30 years experience in the Security, Audit, Safety, and Emergency Management fields in which he specializes in

588 views • 19 slides
Data Ma Mana nagement for r Vide deo Ana nalyti tics Video data is everywhere. Brandon

Data Ma Mana nagement for r Vide deo Ana nalyti tics Video data is everywhere. Brandon

7/26/2019 Data Ma Mana nagement for r Vide deo Ana nalyti tics Video data is everywhere. Brandon Haynes, Maureen Daum, Amrita Mazumdar, Magdalena Balazinsk ska, Luis Ceze, & Alvin Cheung 1 2 1 2 Width in pixels Height in pixels

646 views • 11 slides
Blood ood Mana nagem gement ent Serv rvic ice Last t update te was done e in 20 2010

Blood ood Mana nagem gement ent Serv rvic ice Last t update te was done e in 20 2010

Blood ood Mana nagem gement ent Serv rvic ice Last t update te was done e in 20 2010 10 Curren entl tly y not t being g used provincia vinciall lly Th This form m was not standar ndardiz dized ed withi hin n the

810 views • 23 slides
Princ incipal ipal Talent lent Ma Mana nagement ement in in t the e Denver er Public

Princ incipal ipal Talent lent Ma Mana nagement ement in in t the e Denver er Public

Princ incipal ipal Talent lent Ma Mana nagement ement in in t the e Denver er Public lic Schools ols: : Supporting Principal Effectiveness to Boost Student Achievement A Great Principal Use the sticky notes on your table to

495 views • 10 slides
MA MANA NAGEMEN GEMENT T AND ND MO MONI NITORING ORING PL PLANS NS MVLWB Technical

MA MANA NAGEMEN GEMENT T AND ND MO MONI NITORING ORING PL PLANS NS MVLWB Technical

MA MANA NAGEMEN GEMENT T AND ND MO MONI NITORING ORING PL PLANS NS MVLWB Technical Session Snap Lake Mine Final Closure, and Water Licence and Land Permit Renewal July 16 to 18, 2019 PUBLIC LIC PRESEN ENTATION ION OUTL TLINE

510 views • 11 slides
Traff ffic M Mana nagement C Cente enters rs fo for th the e Extre treme Do Do-It-Your

Traff ffic M Mana nagement C Cente enters rs fo for th the e Extre treme Do Do-It-Your

Traff ffic M Mana nagement C Cente enters rs fo for th the e Extre treme Do Do-It-Your urselfe fer Tom Mahood City of Orange Traffic Engineer March 28, 2007 ITE 2007 Technical Conference Traffic ffic M Management C t Cente

513 views • 19 slides
The Futur he Future of e of Or Organic ganic Resour esource ce Mana Management gement THE

The Futur he Future of e of Or Organic ganic Resour esource ce Mana Management gement THE

The Futur he Future of e of Or Organic ganic Resour esource ce Mana Management gement THE CARBON EXCHANGE PLATFORM The Platform turns a one-way transaction into a cyclical flow of materials and revenues. Closing the Water Recirculation

740 views • 23 slides
Ma Mana nageme gement nt Fact actor ors s Impleme Implement nted t ed to o Maintain P

Ma Mana nageme gement nt Fact actor ors s Impleme Implement nted t ed to o Maintain P

Ma Mana nageme gement nt Fact actor ors s Impleme Implement nted t ed to o Maintain P Mainta in Produc oduction tion Dur During Times of ing Times of Hea Heat t Str Stress ess Morgan Overvest, M. Sc. Overdale Farms,

514 views • 28 slides
NORTH TH PI PILE LE AND D WATER TER MANA NAGE GEMENT MENT MVLWB Technical Session Snap

NORTH TH PI PILE LE AND D WATER TER MANA NAGE GEMENT MENT MVLWB Technical Session Snap

NORTH TH PI PILE LE AND D WATER TER MANA NAGE GEMENT MENT MVLWB Technical Session Snap Lake Mine Final Closure, and Water Licence and Land Permit Renewal July 16 to 18, 2019 PUBLIC LIC PRESEN ENTATION ION OUTL TLINE Overview of

770 views • 45 slides
Tatton A tton Ass sset et Ma Mana nagemen gement t Pl Plc Spring 2018 P pring 2018 Par

Tatton A tton Ass sset et Ma Mana nagemen gement t Pl Plc Spring 2018 P pring 2018 Par

Tatton A tton Ass sset et Ma Mana nagemen gement t Pl Plc Spring 2018 P pring 2018 Par artner F tner For orum um Paul l Hogarth Our first year as a Plc 2 TRADING STATEMENT Tatton AUM 5.0bn from 3.9bn PPL 368

462 views • 19 slides
Water tershed Mana shed Manageme gement nt Plan, Plan, Town of wn of Butt Butter ernuts

Water tershed Mana shed Manageme gement nt Plan, Plan, Town of wn of Butt Butter ernuts

But Butter ternut nut Cr Creek eek Water tershed Mana shed Manageme gement nt Plan, Plan, Town of wn of Butt Butter ernuts nuts Danny Lapin, AICP , Environmental Planner September 11, 2019 Before We Get Started Please sign

548 views • 32 slides
LL LLFA Role i ole in n Flood lood and and Water ter Mana Ma nage gement ment Act ct

LL LLFA Role i ole in n Flood lood and and Water ter Mana Ma nage gement ment Act ct

LL LLFA Role i ole in n Flood lood and and Water ter Mana Ma nage gement ment Act ct 20 2010 10 Serving the people of Cumbria Lead Local Flood Authority Role Supervisory role in local flood risk management

755 views • 16 slides
Michigan Critical Access STRATEGY GROUP #2 DATA M A MANA NAGEMENT NT Hospital Quality AND

Michigan Critical Access STRATEGY GROUP #2 DATA M A MANA NAGEMENT NT Hospital Quality AND

Michigan Critical Access STRATEGY GROUP #2 DATA M A MANA NAGEMENT NT Hospital Quality AND ND A ANAL ALYSI SIS S Network AS A PREMIER SYSTEM OF QUALITY, THE MICHIGAN CRITICAL ACCESS HOSPITAL QUALITY NETWORK (MICAH QN) WILL BE A MODEL

358 views • 16 slides
Risk-Rated Portfolio Solutions Agenda Agenda Introduction 1. o The Rivers Approach to

Risk-Rated Portfolio Solutions Agenda Agenda Introduction 1. o The Rivers Approach to

RI RIVE VERS RS CA CAPIT ITAL AL MANA NAGEMENT GEMENT Risk-Rated Portfolio Solutions Agenda Agenda Introduction 1. o The Rivers Approach to Investment o Working with Advisors The Investment Process 2. o Risk Rated Growth or Income

679 views • 21 slides
Unilateral Price Variations in Market Retail Contracts Andrew Reeves, Chair Todays forum GOAL:

Unilateral Price Variations in Market Retail Contracts Andrew Reeves, Chair Todays forum GOAL:

Unilateral Price Variations in Market Retail Contracts Andrew Reeves, Chair Todays forum GOAL: Informed, confident consumers who can participate in and are well served by the retail energy market ISSUES: Market complexity (pricing, jargon and

101 views • 6 slides
The Unilateral Implementation of a Sustainable Growth Path with Directed Technical Change Inge

The Unilateral Implementation of a Sustainable Growth Path with Directed Technical Change Inge

The Unilateral Implementation of a Sustainable Growth Path with Directed Technical Change Inge van den Bijgaart University of Gothenburg Introduction & Motivation } Unilateral climate policy } EU emission trading scheme; Californias

465 views • 32 slides
CWA Presentation on Proposed Sprint/T-Mobile Merger March 6, 2019 Introduction 1. Competitive

CWA Presentation on Proposed Sprint/T-Mobile Merger March 6, 2019 Introduction 1. Competitive

CWA Presentation on Proposed Sprint/T-Mobile Merger March 6, 2019 Introduction 1. Competitive Impacts of Proposed Merger 2. Retail Job Loss Analysis 3. Labor Market Concentration 4. T- Mobile and Sprints History of Violating Workers

582 views • 22 slides
60b Chair Massage: Technique Review and Practice 60b Chair Massage: Technique Review and Practice

60b Chair Massage: Technique Review and Practice 60b Chair Massage: Technique Review and Practice

60b Chair Massage: Technique Review and Practice 60b Chair Massage: Technique Review and Practice Class Outline 5 minutes Attendance, Breath of Arrival, and Reminders 10 minutes Lecture: 25 minutes Lecture: 15 minutes Active study

251 views • 10 slides
Presenters Brad English Hobie Frady Maynard Cooper & Gale Beason & Nally

Presenters Brad English Hobie Frady Maynard Cooper & Gale Beason & Nally

Presenters Brad English Hobie Frady Maynard Cooper & Gale Beason & Nally benglish@maynardcooper.com hfrady@beasonnalley.com 256.533.1720 256.512.5705 Preserve Your Right to Obtain an Equitable Adjustment: Practical Legal and

365 views • 36 slides
Food prices and the multiplier effect of export policy Paolo Giordani , LUISS University Nadia

Food prices and the multiplier effect of export policy Paolo Giordani , LUISS University Nadia

Food prices and the multiplier effect of export policy Paolo Giordani , LUISS University Nadia Rocha , World Trade Organization Michele Ruta , World Trade Organization First IMF/WB/WTO Trade Workshop , December 2011 Motivation Rising food

453 views • 29 slides
W hile the Winter of 2003-2004 will be enforcement action, the claimant has no statutory

W hile the Winter of 2003-2004 will be enforcement action, the claimant has no statutory

G Environmental Law Alert March 2004 Winter of 2003-2004, Hot One For Superfund Developments By Richard F. Ricci, Esq., Michael J. Caffrey, Esq., Todd M. Hooker, Esq., and Priya R. Masilamani, Esq. W hile the Winter of 2003-2004 will be

332 views • 4 slides
Does Comparative Advantage Induce Unilateral Liberalization? The Case of Services Erik van der

Does Comparative Advantage Induce Unilateral Liberalization? The Case of Services Erik van der

Does Comparative Advantage Induce Unilateral Liberalization? The Case of Services Erik van der Marel ECIPE January 31, 2014 Abstract This paper addresses the empirical question whether having comparative advantage leads countries to

418 views • 25 slides

More recommend