Embed Size (px)
DESCRIPTION
Access control models are usually static, i.e., permissions are granted based on a policy that only changes seldom. Especially for scenarios in health care and disaster management, a more flexible support of access control, i.e., the underlying policy, is needed. Break-glass is one approach for such a flexible support of policies which helps to prevent system stagnation that could harm lives or otherwise result in losses. Today, break-glass techniques are usually added on top of standard access control solutions in an ad-hoc manner and, therefore, lack an integration into the underlying access control paradigm and the systems' access control enforcement architecture. We present an approach for integrating, in a fine-grained manner, break-glass strategies into standard access control models and their accompanying enforcement architecture. This integration provides means for specifying break-glass policies precisely and supporting model-driven development techniques based on such policies.
Citation preview
Extending Access Control Models withBreak-glass
Achim D Brucker Helmut Petritschachimbrucker helmutpetritschsapcom
Vincenz-Priessnitz-Str Karlsruhe Germany
ACM Symposium on Access Control Models and Technologies(SACMAT )
Stresa Italy th June
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Motivation
Our Vision
Assumewe are a nursetrying to access the patient record of Peter Meier
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Motivation
Our Vision
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Motivation
Our Vision
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Motivation
Break-glass or Overriding Access Control
While oen motivated withhealth care orpublic security
scenarios also enterprises demand break-glass solutionsfor preventing stagnation on the system administration level andfor preventing stagnation on the business process level
In fact state of the art enterprise systems support break-glass egVirsa Firefighter for SAPOraclersquos Role Manager
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Motivation
e Situation Today
Mostly implemented using pre-staged accounts that areeither stored in sealed covers orelectronically issued on request
Break-glass solutions should coverthe creation of break-glass accountsthe distribution pre-staged accountsthe monitoring of the use of break-glass accounts andthe cleanup aer an break-glass situation
is solution isquite coarse-grained andnot integrated into regular access control
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Break-glass The Main Idea
Observations and Goals
During discussions with end users we observeddepending on the situation different overrides can be justifiedsome restrictions can never be overridden
e two main design goals areaccess-control decisions should be overrideable on a perpermission basis andfine-grained configuration of the restrictions that can beoverridden
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Emergeny Levels
DefinitionA policy p refines a policy pprime (written p ⊑ pprime) if and only if the set ofsystem traces that are allowed under p is a subset of the system tracesthat are allowed under pprime
A policy p refines a policy pprime iff p is at least as restrictive as pprimep⊺ is the policy that allows all actions andp is the policy that denies all actionsp refines all policies and every policy is a refinement of p⊺PA be the set of all policies of the access control modelA(PA ⊑ p p⊺) is a lattice
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Regular Policies and Emergeny Policies
DefinitionWe refer to the regular policy i e the policy that should be obeyed innormal operations as preg and we refer to the set of policies that arerefined by the regular policy i e
LA = p ∣ p isin PA and preg ⊑ p and p ne preg
as emergency levels or emergency policies of the policy preg We requirethat (PA ∖ p ⊑ preg p⊺) is a lattice i e inf(PA ∖ p) = preg
An emergency level can be active or inactiveOnly active emergency levels contribute to the access controldecisione regular policy is always active
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Hierarchical Break-glass Access Control
An access that is only granted by anemergency policy ℓ isin LA is calledoverride accessOverride accesses are only granted ifthere is an active policy grantingaccessObligations can be attached to an(emergency) policy ie requiringuser confirmations or for activatingmonitoringBy evaluating the policies intopological order the refinementrelation holds by construction
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
A Generic Architecture Supporting Break-glass
Break-glass Architecture Main Idea
e break-glass policy combination strategy can beimplemented by a meta PDP
e Break-glass PDP implements the break-glass policycombination strategy on top of existing PDPsUser confirmations can be implemented using obligations
the various PDPs need to support obligationsthe various PEPs need to support obligationsthe user interface needs to support confirmation requests
Break-glass does not impose restrictions on the underlyingaccess control model
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
A Generic Architecture Supporting Break-glass
A Generic Break-glass Architecture
User Interface Confirmation Handler
ObligationSupport
ProtectedResourcePEP
Break-glassPDP
SingleSign-on
ExistingPDP(s)
Obligation Support
Policy Manager
Authentic
ation 1 4
2 3 33a 3b
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Generic
SecureUML
ArgoUMLminusplugin
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Transformations
SecureUML minusgt UMLOCL
UMLOCL minusgt UMLOCL
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Code Generator
SecureUML UML OCL
Java C Junit XACL USE
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusOCL
formal analysis
formal verification
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusTestGen
modelminusbased unit test
sequence testing
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugin
can easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Motivation
Our Vision
Assumewe are a nursetrying to access the patient record of Peter Meier
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Motivation
Our Vision
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Motivation
Our Vision
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Motivation
Break-glass or Overriding Access Control
While oen motivated withhealth care orpublic security
scenarios also enterprises demand break-glass solutionsfor preventing stagnation on the system administration level andfor preventing stagnation on the business process level
In fact state of the art enterprise systems support break-glass egVirsa Firefighter for SAPOraclersquos Role Manager
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Motivation
e Situation Today
Mostly implemented using pre-staged accounts that areeither stored in sealed covers orelectronically issued on request
Break-glass solutions should coverthe creation of break-glass accountsthe distribution pre-staged accountsthe monitoring of the use of break-glass accounts andthe cleanup aer an break-glass situation
is solution isquite coarse-grained andnot integrated into regular access control
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Break-glass The Main Idea
Observations and Goals
During discussions with end users we observeddepending on the situation different overrides can be justifiedsome restrictions can never be overridden
e two main design goals areaccess-control decisions should be overrideable on a perpermission basis andfine-grained configuration of the restrictions that can beoverridden
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Emergeny Levels
DefinitionA policy p refines a policy pprime (written p ⊑ pprime) if and only if the set ofsystem traces that are allowed under p is a subset of the system tracesthat are allowed under pprime
A policy p refines a policy pprime iff p is at least as restrictive as pprimep⊺ is the policy that allows all actions andp is the policy that denies all actionsp refines all policies and every policy is a refinement of p⊺PA be the set of all policies of the access control modelA(PA ⊑ p p⊺) is a lattice
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Regular Policies and Emergeny Policies
DefinitionWe refer to the regular policy i e the policy that should be obeyed innormal operations as preg and we refer to the set of policies that arerefined by the regular policy i e
LA = p ∣ p isin PA and preg ⊑ p and p ne preg
as emergency levels or emergency policies of the policy preg We requirethat (PA ∖ p ⊑ preg p⊺) is a lattice i e inf(PA ∖ p) = preg
An emergency level can be active or inactiveOnly active emergency levels contribute to the access controldecisione regular policy is always active
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Hierarchical Break-glass Access Control
An access that is only granted by anemergency policy ℓ isin LA is calledoverride accessOverride accesses are only granted ifthere is an active policy grantingaccessObligations can be attached to an(emergency) policy ie requiringuser confirmations or for activatingmonitoringBy evaluating the policies intopological order the refinementrelation holds by construction
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
A Generic Architecture Supporting Break-glass
Break-glass Architecture Main Idea
e break-glass policy combination strategy can beimplemented by a meta PDP
e Break-glass PDP implements the break-glass policycombination strategy on top of existing PDPsUser confirmations can be implemented using obligations
the various PDPs need to support obligationsthe various PEPs need to support obligationsthe user interface needs to support confirmation requests
Break-glass does not impose restrictions on the underlyingaccess control model
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
A Generic Architecture Supporting Break-glass
A Generic Break-glass Architecture
User Interface Confirmation Handler
ObligationSupport
ProtectedResourcePEP
Break-glassPDP
SingleSign-on
ExistingPDP(s)
Obligation Support
Policy Manager
Authentic
ation 1 4
2 3 33a 3b
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Generic
SecureUML
ArgoUMLminusplugin
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Transformations
SecureUML minusgt UMLOCL
UMLOCL minusgt UMLOCL
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Code Generator
SecureUML UML OCL
Java C Junit XACL USE
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusOCL
formal analysis
formal verification
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusTestGen
modelminusbased unit test
sequence testing
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugin
can easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Motivation
Our Vision
Assumewe are a nursetrying to access the patient record of Peter Meier
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Motivation
Our Vision
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Motivation
Our Vision
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Motivation
Break-glass or Overriding Access Control
While oen motivated withhealth care orpublic security
scenarios also enterprises demand break-glass solutionsfor preventing stagnation on the system administration level andfor preventing stagnation on the business process level
In fact state of the art enterprise systems support break-glass egVirsa Firefighter for SAPOraclersquos Role Manager
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Motivation
e Situation Today
Mostly implemented using pre-staged accounts that areeither stored in sealed covers orelectronically issued on request
Break-glass solutions should coverthe creation of break-glass accountsthe distribution pre-staged accountsthe monitoring of the use of break-glass accounts andthe cleanup aer an break-glass situation
is solution isquite coarse-grained andnot integrated into regular access control
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Break-glass The Main Idea
Observations and Goals
During discussions with end users we observeddepending on the situation different overrides can be justifiedsome restrictions can never be overridden
e two main design goals areaccess-control decisions should be overrideable on a perpermission basis andfine-grained configuration of the restrictions that can beoverridden
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Emergeny Levels
DefinitionA policy p refines a policy pprime (written p ⊑ pprime) if and only if the set ofsystem traces that are allowed under p is a subset of the system tracesthat are allowed under pprime
A policy p refines a policy pprime iff p is at least as restrictive as pprimep⊺ is the policy that allows all actions andp is the policy that denies all actionsp refines all policies and every policy is a refinement of p⊺PA be the set of all policies of the access control modelA(PA ⊑ p p⊺) is a lattice
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Regular Policies and Emergeny Policies
DefinitionWe refer to the regular policy i e the policy that should be obeyed innormal operations as preg and we refer to the set of policies that arerefined by the regular policy i e
LA = p ∣ p isin PA and preg ⊑ p and p ne preg
as emergency levels or emergency policies of the policy preg We requirethat (PA ∖ p ⊑ preg p⊺) is a lattice i e inf(PA ∖ p) = preg
An emergency level can be active or inactiveOnly active emergency levels contribute to the access controldecisione regular policy is always active
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Hierarchical Break-glass Access Control
An access that is only granted by anemergency policy ℓ isin LA is calledoverride accessOverride accesses are only granted ifthere is an active policy grantingaccessObligations can be attached to an(emergency) policy ie requiringuser confirmations or for activatingmonitoringBy evaluating the policies intopological order the refinementrelation holds by construction
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
A Generic Architecture Supporting Break-glass
Break-glass Architecture Main Idea
e break-glass policy combination strategy can beimplemented by a meta PDP
e Break-glass PDP implements the break-glass policycombination strategy on top of existing PDPsUser confirmations can be implemented using obligations
the various PDPs need to support obligationsthe various PEPs need to support obligationsthe user interface needs to support confirmation requests
Break-glass does not impose restrictions on the underlyingaccess control model
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
A Generic Architecture Supporting Break-glass
A Generic Break-glass Architecture
User Interface Confirmation Handler
ObligationSupport
ProtectedResourcePEP
Break-glassPDP
SingleSign-on
ExistingPDP(s)
Obligation Support
Policy Manager
Authentic
ation 1 4
2 3 33a 3b
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Generic
SecureUML
ArgoUMLminusplugin
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Transformations
SecureUML minusgt UMLOCL
UMLOCL minusgt UMLOCL
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Code Generator
SecureUML UML OCL
Java C Junit XACL USE
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusOCL
formal analysis
formal verification
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusTestGen
modelminusbased unit test
sequence testing
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugin
can easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Motivation
Our Vision
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Motivation
Our Vision
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Motivation
Break-glass or Overriding Access Control
While oen motivated withhealth care orpublic security
scenarios also enterprises demand break-glass solutionsfor preventing stagnation on the system administration level andfor preventing stagnation on the business process level
In fact state of the art enterprise systems support break-glass egVirsa Firefighter for SAPOraclersquos Role Manager
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Motivation
e Situation Today
Mostly implemented using pre-staged accounts that areeither stored in sealed covers orelectronically issued on request
Break-glass solutions should coverthe creation of break-glass accountsthe distribution pre-staged accountsthe monitoring of the use of break-glass accounts andthe cleanup aer an break-glass situation
is solution isquite coarse-grained andnot integrated into regular access control
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Break-glass The Main Idea
Observations and Goals
During discussions with end users we observeddepending on the situation different overrides can be justifiedsome restrictions can never be overridden
e two main design goals areaccess-control decisions should be overrideable on a perpermission basis andfine-grained configuration of the restrictions that can beoverridden
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Emergeny Levels
DefinitionA policy p refines a policy pprime (written p ⊑ pprime) if and only if the set ofsystem traces that are allowed under p is a subset of the system tracesthat are allowed under pprime
A policy p refines a policy pprime iff p is at least as restrictive as pprimep⊺ is the policy that allows all actions andp is the policy that denies all actionsp refines all policies and every policy is a refinement of p⊺PA be the set of all policies of the access control modelA(PA ⊑ p p⊺) is a lattice
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Regular Policies and Emergeny Policies
DefinitionWe refer to the regular policy i e the policy that should be obeyed innormal operations as preg and we refer to the set of policies that arerefined by the regular policy i e
LA = p ∣ p isin PA and preg ⊑ p and p ne preg
as emergency levels or emergency policies of the policy preg We requirethat (PA ∖ p ⊑ preg p⊺) is a lattice i e inf(PA ∖ p) = preg
An emergency level can be active or inactiveOnly active emergency levels contribute to the access controldecisione regular policy is always active
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Hierarchical Break-glass Access Control
An access that is only granted by anemergency policy ℓ isin LA is calledoverride accessOverride accesses are only granted ifthere is an active policy grantingaccessObligations can be attached to an(emergency) policy ie requiringuser confirmations or for activatingmonitoringBy evaluating the policies intopological order the refinementrelation holds by construction
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
A Generic Architecture Supporting Break-glass
Break-glass Architecture Main Idea
e break-glass policy combination strategy can beimplemented by a meta PDP
e Break-glass PDP implements the break-glass policycombination strategy on top of existing PDPsUser confirmations can be implemented using obligations
the various PDPs need to support obligationsthe various PEPs need to support obligationsthe user interface needs to support confirmation requests
Break-glass does not impose restrictions on the underlyingaccess control model
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
A Generic Architecture Supporting Break-glass
A Generic Break-glass Architecture
User Interface Confirmation Handler
ObligationSupport
ProtectedResourcePEP
Break-glassPDP
SingleSign-on
ExistingPDP(s)
Obligation Support
Policy Manager
Authentic
ation 1 4
2 3 33a 3b
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Generic
SecureUML
ArgoUMLminusplugin
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Transformations
SecureUML minusgt UMLOCL
UMLOCL minusgt UMLOCL
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Code Generator
SecureUML UML OCL
Java C Junit XACL USE
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusOCL
formal analysis
formal verification
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusTestGen
modelminusbased unit test
sequence testing
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugin
can easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Motivation
Our Vision
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Motivation
Break-glass or Overriding Access Control
While oen motivated withhealth care orpublic security
scenarios also enterprises demand break-glass solutionsfor preventing stagnation on the system administration level andfor preventing stagnation on the business process level
In fact state of the art enterprise systems support break-glass egVirsa Firefighter for SAPOraclersquos Role Manager
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Motivation
e Situation Today
Mostly implemented using pre-staged accounts that areeither stored in sealed covers orelectronically issued on request
Break-glass solutions should coverthe creation of break-glass accountsthe distribution pre-staged accountsthe monitoring of the use of break-glass accounts andthe cleanup aer an break-glass situation
is solution isquite coarse-grained andnot integrated into regular access control
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Break-glass The Main Idea
Observations and Goals
During discussions with end users we observeddepending on the situation different overrides can be justifiedsome restrictions can never be overridden
e two main design goals areaccess-control decisions should be overrideable on a perpermission basis andfine-grained configuration of the restrictions that can beoverridden
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Emergeny Levels
DefinitionA policy p refines a policy pprime (written p ⊑ pprime) if and only if the set ofsystem traces that are allowed under p is a subset of the system tracesthat are allowed under pprime
A policy p refines a policy pprime iff p is at least as restrictive as pprimep⊺ is the policy that allows all actions andp is the policy that denies all actionsp refines all policies and every policy is a refinement of p⊺PA be the set of all policies of the access control modelA(PA ⊑ p p⊺) is a lattice
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Regular Policies and Emergeny Policies
DefinitionWe refer to the regular policy i e the policy that should be obeyed innormal operations as preg and we refer to the set of policies that arerefined by the regular policy i e
LA = p ∣ p isin PA and preg ⊑ p and p ne preg
as emergency levels or emergency policies of the policy preg We requirethat (PA ∖ p ⊑ preg p⊺) is a lattice i e inf(PA ∖ p) = preg
An emergency level can be active or inactiveOnly active emergency levels contribute to the access controldecisione regular policy is always active
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Hierarchical Break-glass Access Control
An access that is only granted by anemergency policy ℓ isin LA is calledoverride accessOverride accesses are only granted ifthere is an active policy grantingaccessObligations can be attached to an(emergency) policy ie requiringuser confirmations or for activatingmonitoringBy evaluating the policies intopological order the refinementrelation holds by construction
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
A Generic Architecture Supporting Break-glass
Break-glass Architecture Main Idea
e break-glass policy combination strategy can beimplemented by a meta PDP
e Break-glass PDP implements the break-glass policycombination strategy on top of existing PDPsUser confirmations can be implemented using obligations
the various PDPs need to support obligationsthe various PEPs need to support obligationsthe user interface needs to support confirmation requests
Break-glass does not impose restrictions on the underlyingaccess control model
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
A Generic Architecture Supporting Break-glass
A Generic Break-glass Architecture
User Interface Confirmation Handler
ObligationSupport
ProtectedResourcePEP
Break-glassPDP
SingleSign-on
ExistingPDP(s)
Obligation Support
Policy Manager
Authentic
ation 1 4
2 3 33a 3b
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Generic
SecureUML
ArgoUMLminusplugin
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Transformations
SecureUML minusgt UMLOCL
UMLOCL minusgt UMLOCL
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Code Generator
SecureUML UML OCL
Java C Junit XACL USE
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusOCL
formal analysis
formal verification
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusTestGen
modelminusbased unit test
sequence testing
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugin
can easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Motivation
Break-glass or Overriding Access Control
While oen motivated withhealth care orpublic security
scenarios also enterprises demand break-glass solutionsfor preventing stagnation on the system administration level andfor preventing stagnation on the business process level
In fact state of the art enterprise systems support break-glass egVirsa Firefighter for SAPOraclersquos Role Manager
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Motivation
e Situation Today
Mostly implemented using pre-staged accounts that areeither stored in sealed covers orelectronically issued on request
Break-glass solutions should coverthe creation of break-glass accountsthe distribution pre-staged accountsthe monitoring of the use of break-glass accounts andthe cleanup aer an break-glass situation
is solution isquite coarse-grained andnot integrated into regular access control
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Break-glass The Main Idea
Observations and Goals
During discussions with end users we observeddepending on the situation different overrides can be justifiedsome restrictions can never be overridden
e two main design goals areaccess-control decisions should be overrideable on a perpermission basis andfine-grained configuration of the restrictions that can beoverridden
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Emergeny Levels
DefinitionA policy p refines a policy pprime (written p ⊑ pprime) if and only if the set ofsystem traces that are allowed under p is a subset of the system tracesthat are allowed under pprime
A policy p refines a policy pprime iff p is at least as restrictive as pprimep⊺ is the policy that allows all actions andp is the policy that denies all actionsp refines all policies and every policy is a refinement of p⊺PA be the set of all policies of the access control modelA(PA ⊑ p p⊺) is a lattice
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Regular Policies and Emergeny Policies
DefinitionWe refer to the regular policy i e the policy that should be obeyed innormal operations as preg and we refer to the set of policies that arerefined by the regular policy i e
LA = p ∣ p isin PA and preg ⊑ p and p ne preg
as emergency levels or emergency policies of the policy preg We requirethat (PA ∖ p ⊑ preg p⊺) is a lattice i e inf(PA ∖ p) = preg
An emergency level can be active or inactiveOnly active emergency levels contribute to the access controldecisione regular policy is always active
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Hierarchical Break-glass Access Control
An access that is only granted by anemergency policy ℓ isin LA is calledoverride accessOverride accesses are only granted ifthere is an active policy grantingaccessObligations can be attached to an(emergency) policy ie requiringuser confirmations or for activatingmonitoringBy evaluating the policies intopological order the refinementrelation holds by construction
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
A Generic Architecture Supporting Break-glass
Break-glass Architecture Main Idea
e break-glass policy combination strategy can beimplemented by a meta PDP
e Break-glass PDP implements the break-glass policycombination strategy on top of existing PDPsUser confirmations can be implemented using obligations
the various PDPs need to support obligationsthe various PEPs need to support obligationsthe user interface needs to support confirmation requests
Break-glass does not impose restrictions on the underlyingaccess control model
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
A Generic Architecture Supporting Break-glass
A Generic Break-glass Architecture
User Interface Confirmation Handler
ObligationSupport
ProtectedResourcePEP
Break-glassPDP
SingleSign-on
ExistingPDP(s)
Obligation Support
Policy Manager
Authentic
ation 1 4
2 3 33a 3b
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Generic
SecureUML
ArgoUMLminusplugin
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Transformations
SecureUML minusgt UMLOCL
UMLOCL minusgt UMLOCL
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Code Generator
SecureUML UML OCL
Java C Junit XACL USE
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusOCL
formal analysis
formal verification
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusTestGen
modelminusbased unit test
sequence testing
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugin
can easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Motivation
e Situation Today
Mostly implemented using pre-staged accounts that areeither stored in sealed covers orelectronically issued on request
Break-glass solutions should coverthe creation of break-glass accountsthe distribution pre-staged accountsthe monitoring of the use of break-glass accounts andthe cleanup aer an break-glass situation
is solution isquite coarse-grained andnot integrated into regular access control
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Break-glass The Main Idea
Observations and Goals
During discussions with end users we observeddepending on the situation different overrides can be justifiedsome restrictions can never be overridden
e two main design goals areaccess-control decisions should be overrideable on a perpermission basis andfine-grained configuration of the restrictions that can beoverridden
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Emergeny Levels
DefinitionA policy p refines a policy pprime (written p ⊑ pprime) if and only if the set ofsystem traces that are allowed under p is a subset of the system tracesthat are allowed under pprime
A policy p refines a policy pprime iff p is at least as restrictive as pprimep⊺ is the policy that allows all actions andp is the policy that denies all actionsp refines all policies and every policy is a refinement of p⊺PA be the set of all policies of the access control modelA(PA ⊑ p p⊺) is a lattice
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Regular Policies and Emergeny Policies
DefinitionWe refer to the regular policy i e the policy that should be obeyed innormal operations as preg and we refer to the set of policies that arerefined by the regular policy i e
LA = p ∣ p isin PA and preg ⊑ p and p ne preg
as emergency levels or emergency policies of the policy preg We requirethat (PA ∖ p ⊑ preg p⊺) is a lattice i e inf(PA ∖ p) = preg
An emergency level can be active or inactiveOnly active emergency levels contribute to the access controldecisione regular policy is always active
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Hierarchical Break-glass Access Control
An access that is only granted by anemergency policy ℓ isin LA is calledoverride accessOverride accesses are only granted ifthere is an active policy grantingaccessObligations can be attached to an(emergency) policy ie requiringuser confirmations or for activatingmonitoringBy evaluating the policies intopological order the refinementrelation holds by construction
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
A Generic Architecture Supporting Break-glass
Break-glass Architecture Main Idea
e break-glass policy combination strategy can beimplemented by a meta PDP
e Break-glass PDP implements the break-glass policycombination strategy on top of existing PDPsUser confirmations can be implemented using obligations
the various PDPs need to support obligationsthe various PEPs need to support obligationsthe user interface needs to support confirmation requests
Break-glass does not impose restrictions on the underlyingaccess control model
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
A Generic Architecture Supporting Break-glass
A Generic Break-glass Architecture
User Interface Confirmation Handler
ObligationSupport
ProtectedResourcePEP
Break-glassPDP
SingleSign-on
ExistingPDP(s)
Obligation Support
Policy Manager
Authentic
ation 1 4
2 3 33a 3b
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Generic
SecureUML
ArgoUMLminusplugin
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Transformations
SecureUML minusgt UMLOCL
UMLOCL minusgt UMLOCL
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Code Generator
SecureUML UML OCL
Java C Junit XACL USE
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusOCL
formal analysis
formal verification
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusTestGen
modelminusbased unit test
sequence testing
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugin
can easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Break-glass The Main Idea
Observations and Goals
During discussions with end users we observeddepending on the situation different overrides can be justifiedsome restrictions can never be overridden
e two main design goals areaccess-control decisions should be overrideable on a perpermission basis andfine-grained configuration of the restrictions that can beoverridden
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Emergeny Levels
DefinitionA policy p refines a policy pprime (written p ⊑ pprime) if and only if the set ofsystem traces that are allowed under p is a subset of the system tracesthat are allowed under pprime
A policy p refines a policy pprime iff p is at least as restrictive as pprimep⊺ is the policy that allows all actions andp is the policy that denies all actionsp refines all policies and every policy is a refinement of p⊺PA be the set of all policies of the access control modelA(PA ⊑ p p⊺) is a lattice
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Regular Policies and Emergeny Policies
DefinitionWe refer to the regular policy i e the policy that should be obeyed innormal operations as preg and we refer to the set of policies that arerefined by the regular policy i e
LA = p ∣ p isin PA and preg ⊑ p and p ne preg
as emergency levels or emergency policies of the policy preg We requirethat (PA ∖ p ⊑ preg p⊺) is a lattice i e inf(PA ∖ p) = preg
An emergency level can be active or inactiveOnly active emergency levels contribute to the access controldecisione regular policy is always active
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Hierarchical Break-glass Access Control
An access that is only granted by anemergency policy ℓ isin LA is calledoverride accessOverride accesses are only granted ifthere is an active policy grantingaccessObligations can be attached to an(emergency) policy ie requiringuser confirmations or for activatingmonitoringBy evaluating the policies intopological order the refinementrelation holds by construction
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
A Generic Architecture Supporting Break-glass
Break-glass Architecture Main Idea
e break-glass policy combination strategy can beimplemented by a meta PDP
e Break-glass PDP implements the break-glass policycombination strategy on top of existing PDPsUser confirmations can be implemented using obligations
the various PDPs need to support obligationsthe various PEPs need to support obligationsthe user interface needs to support confirmation requests
Break-glass does not impose restrictions on the underlyingaccess control model
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
A Generic Architecture Supporting Break-glass
A Generic Break-glass Architecture
User Interface Confirmation Handler
ObligationSupport
ProtectedResourcePEP
Break-glassPDP
SingleSign-on
ExistingPDP(s)
Obligation Support
Policy Manager
Authentic
ation 1 4
2 3 33a 3b
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Generic
SecureUML
ArgoUMLminusplugin
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Transformations
SecureUML minusgt UMLOCL
UMLOCL minusgt UMLOCL
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Code Generator
SecureUML UML OCL
Java C Junit XACL USE
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusOCL
formal analysis
formal verification
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusTestGen
modelminusbased unit test
sequence testing
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugin
can easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Observations and Goals
During discussions with end users we observeddepending on the situation different overrides can be justifiedsome restrictions can never be overridden
e two main design goals areaccess-control decisions should be overrideable on a perpermission basis andfine-grained configuration of the restrictions that can beoverridden
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Emergeny Levels
DefinitionA policy p refines a policy pprime (written p ⊑ pprime) if and only if the set ofsystem traces that are allowed under p is a subset of the system tracesthat are allowed under pprime
A policy p refines a policy pprime iff p is at least as restrictive as pprimep⊺ is the policy that allows all actions andp is the policy that denies all actionsp refines all policies and every policy is a refinement of p⊺PA be the set of all policies of the access control modelA(PA ⊑ p p⊺) is a lattice
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Regular Policies and Emergeny Policies
DefinitionWe refer to the regular policy i e the policy that should be obeyed innormal operations as preg and we refer to the set of policies that arerefined by the regular policy i e
LA = p ∣ p isin PA and preg ⊑ p and p ne preg
as emergency levels or emergency policies of the policy preg We requirethat (PA ∖ p ⊑ preg p⊺) is a lattice i e inf(PA ∖ p) = preg
An emergency level can be active or inactiveOnly active emergency levels contribute to the access controldecisione regular policy is always active
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Hierarchical Break-glass Access Control
An access that is only granted by anemergency policy ℓ isin LA is calledoverride accessOverride accesses are only granted ifthere is an active policy grantingaccessObligations can be attached to an(emergency) policy ie requiringuser confirmations or for activatingmonitoringBy evaluating the policies intopological order the refinementrelation holds by construction
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
A Generic Architecture Supporting Break-glass
Break-glass Architecture Main Idea
e break-glass policy combination strategy can beimplemented by a meta PDP
e Break-glass PDP implements the break-glass policycombination strategy on top of existing PDPsUser confirmations can be implemented using obligations
the various PDPs need to support obligationsthe various PEPs need to support obligationsthe user interface needs to support confirmation requests
Break-glass does not impose restrictions on the underlyingaccess control model
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
A Generic Architecture Supporting Break-glass
A Generic Break-glass Architecture
User Interface Confirmation Handler
ObligationSupport
ProtectedResourcePEP
Break-glassPDP
SingleSign-on
ExistingPDP(s)
Obligation Support
Policy Manager
Authentic
ation 1 4
2 3 33a 3b
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Generic
SecureUML
ArgoUMLminusplugin
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Transformations
SecureUML minusgt UMLOCL
UMLOCL minusgt UMLOCL
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Code Generator
SecureUML UML OCL
Java C Junit XACL USE
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusOCL
formal analysis
formal verification
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusTestGen
modelminusbased unit test
sequence testing
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugin
can easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Emergeny Levels
DefinitionA policy p refines a policy pprime (written p ⊑ pprime) if and only if the set ofsystem traces that are allowed under p is a subset of the system tracesthat are allowed under pprime
A policy p refines a policy pprime iff p is at least as restrictive as pprimep⊺ is the policy that allows all actions andp is the policy that denies all actionsp refines all policies and every policy is a refinement of p⊺PA be the set of all policies of the access control modelA(PA ⊑ p p⊺) is a lattice
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Regular Policies and Emergeny Policies
DefinitionWe refer to the regular policy i e the policy that should be obeyed innormal operations as preg and we refer to the set of policies that arerefined by the regular policy i e
LA = p ∣ p isin PA and preg ⊑ p and p ne preg
as emergency levels or emergency policies of the policy preg We requirethat (PA ∖ p ⊑ preg p⊺) is a lattice i e inf(PA ∖ p) = preg
An emergency level can be active or inactiveOnly active emergency levels contribute to the access controldecisione regular policy is always active
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Hierarchical Break-glass Access Control
An access that is only granted by anemergency policy ℓ isin LA is calledoverride accessOverride accesses are only granted ifthere is an active policy grantingaccessObligations can be attached to an(emergency) policy ie requiringuser confirmations or for activatingmonitoringBy evaluating the policies intopological order the refinementrelation holds by construction
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
A Generic Architecture Supporting Break-glass
Break-glass Architecture Main Idea
e break-glass policy combination strategy can beimplemented by a meta PDP
e Break-glass PDP implements the break-glass policycombination strategy on top of existing PDPsUser confirmations can be implemented using obligations
the various PDPs need to support obligationsthe various PEPs need to support obligationsthe user interface needs to support confirmation requests
Break-glass does not impose restrictions on the underlyingaccess control model
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
A Generic Architecture Supporting Break-glass
A Generic Break-glass Architecture
User Interface Confirmation Handler
ObligationSupport
ProtectedResourcePEP
Break-glassPDP
SingleSign-on
ExistingPDP(s)
Obligation Support
Policy Manager
Authentic
ation 1 4
2 3 33a 3b
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Generic
SecureUML
ArgoUMLminusplugin
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Transformations
SecureUML minusgt UMLOCL
UMLOCL minusgt UMLOCL
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Code Generator
SecureUML UML OCL
Java C Junit XACL USE
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusOCL
formal analysis
formal verification
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusTestGen
modelminusbased unit test
sequence testing
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugin
can easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Regular Policies and Emergeny Policies
DefinitionWe refer to the regular policy i e the policy that should be obeyed innormal operations as preg and we refer to the set of policies that arerefined by the regular policy i e
LA = p ∣ p isin PA and preg ⊑ p and p ne preg
as emergency levels or emergency policies of the policy preg We requirethat (PA ∖ p ⊑ preg p⊺) is a lattice i e inf(PA ∖ p) = preg
An emergency level can be active or inactiveOnly active emergency levels contribute to the access controldecisione regular policy is always active
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Hierarchical Break-glass Access Control
An access that is only granted by anemergency policy ℓ isin LA is calledoverride accessOverride accesses are only granted ifthere is an active policy grantingaccessObligations can be attached to an(emergency) policy ie requiringuser confirmations or for activatingmonitoringBy evaluating the policies intopological order the refinementrelation holds by construction
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
A Generic Architecture Supporting Break-glass
Break-glass Architecture Main Idea
e break-glass policy combination strategy can beimplemented by a meta PDP
e Break-glass PDP implements the break-glass policycombination strategy on top of existing PDPsUser confirmations can be implemented using obligations
the various PDPs need to support obligationsthe various PEPs need to support obligationsthe user interface needs to support confirmation requests
Break-glass does not impose restrictions on the underlyingaccess control model
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
A Generic Architecture Supporting Break-glass
A Generic Break-glass Architecture
User Interface Confirmation Handler
ObligationSupport
ProtectedResourcePEP
Break-glassPDP
SingleSign-on
ExistingPDP(s)
Obligation Support
Policy Manager
Authentic
ation 1 4
2 3 33a 3b
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Generic
SecureUML
ArgoUMLminusplugin
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Transformations
SecureUML minusgt UMLOCL
UMLOCL minusgt UMLOCL
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Code Generator
SecureUML UML OCL
Java C Junit XACL USE
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusOCL
formal analysis
formal verification
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusTestGen
modelminusbased unit test
sequence testing
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugin
can easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Break-glass The Main Idea
Hierarchical Break-glass Access Control
An access that is only granted by anemergency policy ℓ isin LA is calledoverride accessOverride accesses are only granted ifthere is an active policy grantingaccessObligations can be attached to an(emergency) policy ie requiringuser confirmations or for activatingmonitoringBy evaluating the policies intopological order the refinementrelation holds by construction
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
A Generic Architecture Supporting Break-glass
Break-glass Architecture Main Idea
e break-glass policy combination strategy can beimplemented by a meta PDP
e Break-glass PDP implements the break-glass policycombination strategy on top of existing PDPsUser confirmations can be implemented using obligations
the various PDPs need to support obligationsthe various PEPs need to support obligationsthe user interface needs to support confirmation requests
Break-glass does not impose restrictions on the underlyingaccess control model
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
A Generic Architecture Supporting Break-glass
A Generic Break-glass Architecture
User Interface Confirmation Handler
ObligationSupport
ProtectedResourcePEP
Break-glassPDP
SingleSign-on
ExistingPDP(s)
Obligation Support
Policy Manager
Authentic
ation 1 4
2 3 33a 3b
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Generic
SecureUML
ArgoUMLminusplugin
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Transformations
SecureUML minusgt UMLOCL
UMLOCL minusgt UMLOCL
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Code Generator
SecureUML UML OCL
Java C Junit XACL USE
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusOCL
formal analysis
formal verification
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusTestGen
modelminusbased unit test
sequence testing
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugin
can easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
A Generic Architecture Supporting Break-glass
Break-glass Architecture Main Idea
e break-glass policy combination strategy can beimplemented by a meta PDP
e Break-glass PDP implements the break-glass policycombination strategy on top of existing PDPsUser confirmations can be implemented using obligations
the various PDPs need to support obligationsthe various PEPs need to support obligationsthe user interface needs to support confirmation requests
Break-glass does not impose restrictions on the underlyingaccess control model
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
A Generic Architecture Supporting Break-glass
A Generic Break-glass Architecture
User Interface Confirmation Handler
ObligationSupport
ProtectedResourcePEP
Break-glassPDP
SingleSign-on
ExistingPDP(s)
Obligation Support
Policy Manager
Authentic
ation 1 4
2 3 33a 3b
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Generic
SecureUML
ArgoUMLminusplugin
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Transformations
SecureUML minusgt UMLOCL
UMLOCL minusgt UMLOCL
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Code Generator
SecureUML UML OCL
Java C Junit XACL USE
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusOCL
formal analysis
formal verification
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusTestGen
modelminusbased unit test
sequence testing
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugin
can easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
A Generic Architecture Supporting Break-glass
Break-glass Architecture Main Idea
e break-glass policy combination strategy can beimplemented by a meta PDP
e Break-glass PDP implements the break-glass policycombination strategy on top of existing PDPsUser confirmations can be implemented using obligations
the various PDPs need to support obligationsthe various PEPs need to support obligationsthe user interface needs to support confirmation requests
Break-glass does not impose restrictions on the underlyingaccess control model
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
A Generic Architecture Supporting Break-glass
A Generic Break-glass Architecture
User Interface Confirmation Handler
ObligationSupport
ProtectedResourcePEP
Break-glassPDP
SingleSign-on
ExistingPDP(s)
Obligation Support
Policy Manager
Authentic
ation 1 4
2 3 33a 3b
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Generic
SecureUML
ArgoUMLminusplugin
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Transformations
SecureUML minusgt UMLOCL
UMLOCL minusgt UMLOCL
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Code Generator
SecureUML UML OCL
Java C Junit XACL USE
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusOCL
formal analysis
formal verification
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusTestGen
modelminusbased unit test
sequence testing
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugin
can easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
A Generic Architecture Supporting Break-glass
A Generic Break-glass Architecture
User Interface Confirmation Handler
ObligationSupport
ProtectedResourcePEP
Break-glassPDP
SingleSign-on
ExistingPDP(s)
Obligation Support
Policy Manager
Authentic
ation 1 4
2 3 33a 3b
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Generic
SecureUML
ArgoUMLminusplugin
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Transformations
SecureUML minusgt UMLOCL
UMLOCL minusgt UMLOCL
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Code Generator
SecureUML UML OCL
Java C Junit XACL USE
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusOCL
formal analysis
formal verification
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusTestGen
modelminusbased unit test
sequence testing
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugin
can easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Generic
SecureUML
ArgoUMLminusplugin
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Transformations
SecureUML minusgt UMLOCL
UMLOCL minusgt UMLOCL
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Code Generator
SecureUML UML OCL
Java C Junit XACL USE
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusOCL
formal analysis
formal verification
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusTestGen
modelminusbased unit test
sequence testing
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugin
can easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Generic
SecureUML
ArgoUMLminusplugin
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Transformations
SecureUML minusgt UMLOCL
UMLOCL minusgt UMLOCL
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Code Generator
SecureUML UML OCL
Java C Junit XACL USE
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusOCL
formal analysis
formal verification
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusTestGen
modelminusbased unit test
sequence testing
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugin
can easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Generic
SecureUML
ArgoUMLminusplugin
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Transformations
SecureUML minusgt UMLOCL
UMLOCL minusgt UMLOCL
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Code Generator
SecureUML UML OCL
Java C Junit XACL USE
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusOCL
formal analysis
formal verification
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusTestGen
modelminusbased unit test
sequence testing
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugin
can easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Transformations
SecureUML minusgt UMLOCL
UMLOCL minusgt UMLOCL
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Code Generator
SecureUML UML OCL
Java C Junit XACL USE
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusOCL
formal analysis
formal verification
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusTestGen
modelminusbased unit test
sequence testing
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugin
can easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
Code Generator
SecureUML UML OCL
Java C Junit XACL USE
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusOCL
formal analysis
formal verification
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusTestGen
modelminusbased unit test
sequence testing
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugin
can easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusOCL
formal analysis
formal verification
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusTestGen
modelminusbased unit test
sequence testing
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugin
can easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
HOLminusTestGen
modelminusbased unit test
sequence testing
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugin
can easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
e Model-driven Security VisionA Tool-supported and Security-aware Formal Model-driven Engineering Process
1lowast
Role
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Class
+ Public Method Protected Method
attribute Type
minus Private Method
Model TransformationDesign
Phase Phase
Verification and
Codeminusgeneration Phase Deployment Phase
Testing and
UMLOCL
(XMI)
orSecureUMLOCL
CodeGenerator
RepositoryModel
(su4sml)
ModelminusAnalysisand Verification
(HOLminusOCL)Transformation
Model
HOLminusTestGen
ArgoUML
ACConfig
C+OCL
TestHarness
manualCode
Proof
Obligations
Test Data
Program
Generation
Validation
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugin
can easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugin
can easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
SecureUML
Subject
Group User
Role Permission
AuthorizationConstraint
Action
AtomicAction CompositeAction
Resource0 0 1 0 0 1 00
00 0 0
01 00
Policy Obligation1
0
1 0
0
0
SecureUMLis a UML-based notationprovides abstract Syntax given by MOF compliant metamodelis pluggable into arbitrary design modeling languagesis supported by an ArgoUML plugincan easily be extended with support for break-glass
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Modeling Access Control with SecureUML
MedicalRecorddiseaseStringmedicationStringread()OclVoidupdate()OclVoidcreate()OclVoid
PatientnameString
0owner 1
laquosecureumlroleraquoUserRole
laquosecureumlroleraquoAdministratorRole
laquosecureumlpermissionraquoOwnerMedicalRecordMedicalRecordreadMedicalRecordupdateMedicalRecorddelete
caller=selfownername
laquosecureumlpolicyraquoLowEmergencyLevel
laquosecureumlpolicyraquoHighEmergencyLevel
laquosecureumlpermissionraquoEmergencyOwnerMedicalRecordMedicalRecordread
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
ArgoUML Support
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Extending Model-driven Security
Code Generation (Java and XACML)
In case of XACML we can generatethe policies andthe PDP configuration
In particular wesort the policies topologicaluse the ldquofirst-applicablerdquo combining algorithm of XACML andexploit the obligations support of XACML
With respect to the application we generate(stubs of) the business logicthe calls to PDP andthe PEP
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Outline
Motivation
Break-glass e Main Idea
A Generic Architecture Supporting Break-glass
Extending Model-driven Security
Conclusion and Future Work
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Conclusion and Future Work
Conclusion and Future Work
We presented aa generic break-glass model that allows the fine-grainedoverriding of access control decisionsan generic architecture for implementing break-glassan extension of SecureUML supporting break-glass andthe mapping of break-glass to XACML
Future work includes the integration and development ofanalysis techniques for user providing feedback to the userbreak-glass concepts for IT compliance andtechniques for a posteriori analysis of incidents
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
ank youfor your attention
Any questions or remarks
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
Bibliography
Bibliography
Achim D Brucker and Helmut PetritschExtending access control models with break-glassIn ACM symposium on access control models and technologies (SACMAT) pagesndash ACM Press
AD Brucker and H Petritsch (SAP Research) Access Control Models with Break-glass SACMAT
![University Apartments on Brooklyn PROJECT MANUAL · J. Door Glazing: [Clear float glass] [Tempered float glass (clear)] [Tempered float glass (bronze tint)] [Break glass] [Tempered](https://img.pdfslide.us/doc/110x75/5eb71adcdf7a200ae41481c9/university-apartments-on-brooklyn-project-j-door-glazing-clear-float-glass-tempered.jpg)