differentiated access control differentiated access
play

Differentiated access control Differentiated access control to - PowerPoint PPT Presentation

Feb 10, 2024 •436 likes •596 views

Differentiated access control Differentiated access control to graph data to graph data Application to TinkerPop-compatible Application to TinkerPop-compatible graph databases graph databases Marc de Lignie Marc de Lignie Image courtesy:

  1. Differentiated access control Differentiated access control to graph data to graph data Application to TinkerPop-compatible Application to TinkerPop-compatible graph databases graph databases Marc de Lignie Marc de Lignie Image courtesy: http://cosmicweb.barabasilab.com/

  2. About me 1. self-taught data scientist, starting from a PhD in physics 2. interested in graph analytics and data fusion 3. employed at a Dutch government agency 4. contributor to 5. active in community 6. http://yaaics.blogspot.com FOSDEM 2019 2

  3. Differentiated access control to graph data 1. Exploration 2. Directions 3. Application to TinkerPop/JanusGraph << notebook demo>> 4. Wrap-up FOSDEM 2019 3

  4. Exploration: N data sources into 1 graph Business: person1 order1 buying history likes location1 Finance: payments product1 product2 Marketing person2 order2 Research: facebook data (This) business department may not be allowed to use exact location and facebook data for recommendations FOSDEM 2019 4

  5. Exploration: unauthorized edges person2 Store1 person3 person1 Store2 person4 Some users may not be allowed to traverse edges from Store2 FOSDEM 2019 5

  6. Differentiated access control to graph data 1. Exploration 2. Directions - separate graph stored per user group - datastore with cell-level security - filtering while traversing the graph 3. Application to TinkerPop/JanusGraph << notebook demo>> 4. Wrap-up FOSDEM 2019 6

  7. Directions: separate graph stored per user group Criterion one graph for all graph per user group #management processes + limited ○ scales with #groups available (cache) memory + exclusive ○ divided between groups CPU efficiency ○ authorization processing ○ support additional I/O network I/O efficiency + data shared ○ no sharing disk I/O efficiency + data shared ○ no sharing resilience wrt corruption ○ everyone or no one + just one graph scalability #user groups + not needed ○ limited FOSDEM 2019 7

  8. Directions: datastore with cell-level security need cell-level security to have the data store honor user authorizations ● cell-level user authorizations not implemented ● in current JanusGraph and Neo4j data formats https://docs.janusgraph.org/0.3.1/data-model.html http://key-value-stories.blogspot.com/2015/02/neo4j-architecture.html FOSDEM 2019 8

  9. Directions: filtering while traversing the graph [1/2] name = e01 authz = ["biz;3"] name = p0 authz = ["biz;3","fb;2"] user 1 name = v1 name = e11 authz = ["biz;1","biz;2","biz;3","fb;1"] authz = ["biz;3"] authz = ["fin;3"] name = p1 name = e12 authz = ["fin;3"] authz = ["fin;3"] name = v2 authz = ["fin;2"] name = e22 user 2 name = p2 authz = ["fin;4"] authz = ["biz;1","fin;1","fin;2","fin;3" ] authz = ["fin2"] Authorizations Authorization options assigned to users for element access FOSDEM 2019 9

  10. Directions: filtering while traversing the graph [2/2] graph application business logic & UI graph application model API graph application query logic unused private AuthorizedTraversal API filtering & restriction graph database API external graph database Correctly honoring user authorizations as a separate concern FOSDEM 2019 10

  11. Differentiated access control to graph data 1. Exploration 2. Directions 3. Application to TinkerPop/JanusGraph << notebook demo>> 4. Wrap-up FOSDEM 2019 11

  12. Application to TinkerPop: java-gremlin DSL Graph C GraphTraversalSource GraphTraversal I I C TinkerGraph C DefaultGraphTraversal DSL C __ anonymous graph traversal C StandardJanusGraph AuthorizedTraversalSource extends GraphTraversalSource: ● a java-gremlin DSL on top of the TinkerPop APIs ● restricts the TinkerPop APIs to authorized data access (this needs a few instances of stack inspection, which is fragile) FOSDEM 2019 12

  13. Application to TinkerPop: notebook demo userAuthz = ["biz;1", "biz;2", "biz;3"] graph.traversal(). V().has("authz", within(userAuthz)).has("name", "Mathilde"). outE("likes").has("authz", within(userAuthz)). inV().has("authz", within(userAuthz)). outE("lives").has("authz", within(userAuthz)). inV().has("authz", within(userAuthz)).has("city", "Brussels") graph.traversal(AuthorizedTraversalSource.class). withAuthorization(userAuthz). V().has("name", "Jane"). out("likes"). out("lives").has("city", "Brussels") https://github.com/vtslab/janusgraph/tree/fosdem2019/fosdem2019 FOSDEM 2019 13

  14. Wrap-up 1. Right visibility of sensitive graph data to different user groups is not easy to achieve 2. Separate graphs per user group result in penalties for performance and maintenance 3. Cell-level security is not part of data format of current graph databases 4. Filtering while traversing the graph is feasible – if fragile – provided that it is done within the context of a secure endpoint FOSDEM 2019 14

  15. Differentiated access control Differentiated access control to graph data to graph data THANK YOU THANK YOU Image courtesy: http://cosmicweb.barabasilab.com/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Isolation and poverty: the relationship between spatially differentiated access to goods and

Isolation and poverty: the relationship between spatially differentiated access to goods and

Isolation and poverty: the relationship between spatially differentiated access to goods and services and poverty Kate Bird, Andy McKay &amp; Isaac Shinyekwa Understanding and Addressing Spatial Poverty Traps. Spier Estate, Stellenbosch, 29

460 views • 17 slides
Noise Differentiated Track Access Charges for Rail Infrastructure an Approach towards an

Noise Differentiated Track Access Charges for Rail Infrastructure an Approach towards an

Noise Differentiated Track Access Charges for Rail Infrastructure an Approach towards an adequate Pricing for Externalities in the Rail- Sector? Presentation at Conference on Applied Infrastructure Research Berlin University of Technology

268 views • 23 slides
Differentiated Essential Differentiated Essential Competencies (DECs) 1 Introduction

Differentiated Essential Differentiated Essential Competencies (DECs) 1 Introduction

Differentiated Essential Differentiated Essential Competencies (DECs) 1 Introduction Purpose of Webinar History Rationale Implementation Questions &amp; Answers Q ti &amp; A 2 Welcome! Director of Nursing

316 views • 31 slides
Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct

Access Control Access Control 1 Access Control Access control : ensures that all direct accesses to object are authorized a scheme for mapping users to allowed actions Protection objects : system resources for which protection is

576 views • 21 slides
Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of

Access Control and Protection Overview Access control: What and Why Abstract Models of Access Control Discretionary acces control Mandatory access control Real systems: Unix Access Control Model Access control Access

817 views • 47 slides
Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control?

Access Control Jackson Argo Rackspace MO After-hours April 28, 2016 What is Access Control? How Is Access Determined? Who Determines Access? Forms of Access Control SELinux Booleans iptables File Access Control Lists Apache Access Control

711 views • 36 slides
EQUITABLE ACCESS INITIATIVE Draft Project overview and timeline Equitable Access Initiative (EAI)

EQUITABLE ACCESS INITIATIVE Draft Project overview and timeline Equitable Access Initiative (EAI)

EQUITABLE ACCESS INITIATIVE Draft Project overview and timeline Equitable Access Initiative (EAI) Joint Initiative by nine convening organizations Objective Develop a more differentiated approach than traditional country classification by

279 views • 10 slides
1 General Access Control General Access Control Control of access to memory relatively easy:

1 General Access Control General Access Control Control of access to memory relatively easy:

Role of Access Control Before closing back doors we need to close front doors Access control: determines access to files &amp; processes in OS Fall 2008 We will return to these themes throughout the course Fall 2008 CS

512 views • 6 slides
SYSTEM DIAGRAMS Door Entry &amp; Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry &amp; Access Control ACCESS CONTROL ACCESS CONTROL Allowing

SYSTEM DIAGRAMS Door Entry &amp; Access Control ACCESS CONTROL ACCESS CONTROL Allowing residents / staff access to site areas Main entrance Vehicle entrances Pedestrian entrances Gate / Barrier entrance Bin / Bike / Refuge

336 views • 14 slides
Differentiated Durable Goods Monopoly and Competition Nava and Schiraldi London School of

Differentiated Durable Goods Monopoly and Competition Nava and Schiraldi London School of

Differentiated Durable Goods Monopoly and Competition Nava and Schiraldi London School of Economics March 2018 Nava (LSE) Differentiated Durable Goods Mar 18 1 / 74 Focus: Differentiated Durable Goods We study the incentives to

1.28k views • 74 slides
Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs

Overview Basic Principles Access Control Methodologies Controls Access Control Designs Access Control Administration Accountability Chapter 2 Access Control Models Identification and Authentication Methods Lecturer:

708 views • 9 slides
What is differentiated care &amp; global guidance for scale up Lynne Wilkinson International AIDS

What is differentiated care &amp; global guidance for scale up Lynne Wilkinson International AIDS

What is differentiated care &amp; global guidance for scale up Lynne Wilkinson International AIDS Society 16 May 2017 www.iasociety.org Differentiated care is a client-centred approach that simplifies and adapts HIV services across the cascade

387 views • 21 slides
Creating Differentiated Storage Offerings Using Cinder Volume Types Bob Callaway, PhD Cloud

Creating Differentiated Storage Offerings Using Cinder Volume Types Bob Callaway, PhD Cloud

Creating Differentiated Storage Offerings Using Cinder Volume Types Bob Callaway, PhD Cloud Solutions Group, NetApp @rdcallaw 1 Agenda Why Offer Differentiated Storage Service Levels? Quick Overview of OpenStack Block Storage

321 views • 21 slides
D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient

D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient

D2: Access Control #2: Access cess Contr trol ol Similar to OWASP Top 10 Insufficient access control and authentication checks Insecure access control methods Private, internal functions and data are accessible through a

547 views • 11 slides
Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control

Outline Unix-style access control, contd CSci 5271 Multilevel and mandatory access control Introduction to Computer Security Access control, contd Announcements intermission Stephen McCamant Capability-based access control University

380 views • 7 slides
Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of achieving confiden5ality and integrity) Who can access What Objects : Subjects : Files/ Programs/ Sockets/ User/ process/ applica5on Hardware/

985 views • 46 slides
A UTH S COPE : Towards Automatic Discovery of Vulnerable Authorizations in Online Services

A UTH S COPE : Towards Automatic Discovery of Vulnerable Authorizations in Online Services

Introduction Overview Detailed Design Evaluation Related Work Conclusion References A UTH S COPE : Towards Automatic Discovery of Vulnerable Authorizations in Online Services Chaoshun Zuo, Qingchuan Zhao , Zhiqiang Lin University of Texas at

1.4k views • 103 slides
Pros and cons for using LDAP as backend for an RBAC system 3 rd LDAPCon, Heidelberg,

Pros and cons for using LDAP as backend for an RBAC system 3 rd LDAPCon, Heidelberg,

Pros and cons for using LDAP as backend for an RBAC system 3 rd LDAPCon, Heidelberg, 10.-11.10.2011 Peter Gietz, Markus Widmer, DAASI International GmbH Peter.gietz@daasi.de Markus.widmer@daasi.de 1 (c) October 2011 DAASI

815 views • 52 slides
Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of

Access Control Chester Rebeiro Indian Institute of Technology Madras Access Control (the tao of achieving confidentiality and integrity) Who can access What Objects : Subjects : Files/ Programs/ Sockets/ User/ process/ application

1.31k views • 50 slides
Security and Authorization Chapter 21 Database Management Systems, 3ed, R. Ramakrishnan and J.

Security and Authorization Chapter 21 Database Management Systems, 3ed, R. Ramakrishnan and J.

Security and Authorization Chapter 21 Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke 1 Introduction to DB Security Secrecy: Users should not be able to see things they are not supposed to. E.g., A student cant see

289 views • 8 slides
IRODS Security Wayne Schroeder Data Intensive Cyber Environments Team (DICE) Institute for

IRODS Security Wayne Schroeder Data Intensive Cyber Environments Team (DICE) Institute for

IRODS Security Wayne Schroeder Data Intensive Cyber Environments Team (DICE) Institute for Neural Computation (INC), University of California San Diego irods.org, dice.unc.edu, diceresearch.org Outline General Comments What Guarding

210 views • 10 slides
Automated Analysis of Access Control Policies Alessandro Armando joint work with Silvio Ranise

Automated Analysis of Access Control Policies Alessandro Armando joint work with Silvio Ranise

Automated Analysis of Access Control Policies Alessandro Armando joint work with Silvio Ranise Artificial Intelligence Laboratory (AI-Lab) Security &amp; Trust Research Unit DIST, University of Genova FBK-IRST Genova Trento A. Armando (U.

879 views • 77 slides
CS 683 - Security and Privacy Fall 2019 Instructor: Karim Eldefrawy University of San Francisco

CS 683 - Security and Privacy Fall 2019 Instructor: Karim Eldefrawy University of San Francisco

CS 683 - Security and Privacy Fall 2019 Instructor: Karim Eldefrawy University of San Francisco http://www.cs.usfca.edu/~keldefrawy/teaching /fall2019/cs683/cs683_main.htm 1 Le Lecture 14 14 Access Control 2 Recall: Secu curity Service

943 views • 33 slides
Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1

Operating System Security CS 111 Operating Systems Peter Reiher Lecture 17 CS 111 Page 1 Fall 2015 Outline Basic concepts in computer security Design principles for security Important security tools for operating systems

1.15k views • 64 slides

More recommend