Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

Implementing Least Privilege for Interconnected, Agile SOAs/Clouds

  • Chapter
  • First Online:
ISSE 2012 Securing Electronic Business Processes

  • 1261 Accesses

Abstract

The principle of least privilege – users/programs should operate using the least amount of privilege necessary to complete the job – is stated as a critical security (access control policy) objective in most high-level information security policy documents and information security related government regulations and guidance documents. “True least privilege” is a (mostly) theoretical optimum of exactly only the access provisioning that is required, while most real-world least privilege implementations are “suboptimal” in that they overprovision access (e.g. in privilege user account access, government regulations/guidance/ standards) – with disasters such as the U.S. embassy Wikileaks incident as a result. Least privilege is harder to implement the more optimal it should be, because doing it right can be highly complex: (1) it requires fine-grained access policy management that goes beyond identity and roles based access controls, towards attribute-based (ABAC), resource-based (ResBAC), and authorization-based (ZBAC) access controls; (2) access policies need to be highly contextual in order to minimize excess access provisioning; (3) implementing such fine-grained, contextual across policies reliably and verifiably is particularly challenging for today’s dynamically changing IT application landscapes such as agile Service Oriented Architectures (SOAs) and emerging Cloud mash-ups (with “Platform as a Service”, PaaS).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

eBook
USD 15.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 15.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

Literature

  1. US Cert. Build Security In Website. 2012. https://buildsecurityin.us-cert.gov/bsi/articles/knowledge/principles/351-BSI.html

  2. D.F. Ferraiolo and D.R. Kuhn (October 1992). “Role-Based Access Control”. 15th National Computer Security Conference. pp. 554–563. http://csrc.nist.gov/rbac/ferraiolo-kuhn-92.pdf

  3. Guardian (UK), “US embassy cables leak sparks global diplomatic crisis”, 28 November 2010, http://www.guardian.co.uk/world/2010/nov/28/us-embassy-cable-leak-diplomacy-crisis

  4. Karp, A. H., H. Haury, and M. H. Davis. “From ABAC to ZBAC: The Evolution of Access Control Models”, Journal of Information Warfare, vol. 9, #2, pp. 37-45, September 2010. http://www.hpl.hp.com/techreports/2009/HPL-2009-30.pdf

  5. Lang, U. and Mullen, J. “SOA & Cloud Application Information Assurance By Enforcing Enterprise Policies”. April 2012 (publication pending)

    Google Scholar 

  6. Lang, U., “Security Policy Automation: Improve Cloud Application Security ROI” ISSA Journal, October 2010, https://www.issa.org/images/upload/files/Lang-Security%20Policy%20Automation.pdf

  7. Lang, U. “Cloud & SOA Application Security as a Service” Proceedings of ISSE 2010, Berlin, Germany, 5-7 October 2010

    Google Scholar 

  8. Lang, U. “Authorization as a Service for Cloud & SOA Applications”, Proceedings of the International Workshop on Cloud Privacy, Security, Risk & Trust (CPSRT 2010), Collocated with 2nd IEEE International Conference on Cloud Computing Technology and Science (Cloudcom) CPSRT 2010, Indianapolis, In-diana, USA, December 2010

    Google Scholar 

  9. U. Lang, “Authorization as a Service for Cloud & SOA Applications”, Proceedings of the International Workshop on Cloud Privacy, Security, Risk & Trust (CPSRT 2010), Collocated with 2nd IEEE International Conference on Cloud Computing Technology and Science (Cloudcom) CPSRT 2010, Indianapolis, Indiana, USA, December 2010

    Google Scholar 

  10. Lang, U. Blog. “Security policy automation using model driven security”, www.modeldrivensecurity.org

  11. Lang, U. Blog. “Study estimates 59% accreditation cost saving using automated Correct by Construction (CxC) tools (& more for agile SOA/Cloud), 2012, http://objectsecurity-mds.blogspot.com/2012/03/study-estimates-59-accreditation-cost.html

  12. Lang, U and R. Schreiner. “Model Driven Security (MDS) management and en-forcement to support SOA-style agility”. Proceedings of the Information Security Solutions Europe (ISSE) conference, Warsaw, Poland, 26 September 2007

    Google Scholar 

  13. Lang, U. and R. Schreiner. “Model Driven Security Accreditation (MDSA) for Agile, Interconnected IT Landscapes”, Proceedings of WISG 2009 Conference, November 2009

    Google Scholar 

  14. Lang, U. and Schreiner, R. Analysis of recommended cloud security controls to validate Open- PMF “policy as a service”. Information Security Technical Report, Volume 16, Issues 3–4, August– November 2011, Pages 131–141

    Article  Google Scholar 

  15. Lang, U. and Schreiner R. Security Policy Automation for Smart Grids: Manageable Security & Compliance at Large Scale, ISSE Conference Proceedings 2011

    Google Scholar 

  16. NIST. A Survey of Access Control Models. Working Draft, 26 August 2009. http://csrc.nist.gov/news_events/privilege-management-workshop/PvM-Model-Survey-Aug26-2009.pdf

  17. OASIS, Extensible Access Control Markup Language (XACML), OASIS Standard, 2.0, March 2005, xml.coverpages.org/xacml.html

  18. ObjectSecurity. OpenPMF website. openpmf.com, 2000-2011

    Google Scholar 

  19. ObjectSecurity. “ObjectSecurity and Promia implement XML security features for next-generation US military security technology”, Press Release. objectsecu-rity.com/doc/20100430-objectsecurity- promia-navy-soa3.pdf, April 2010

    Google Scholar 

  20. ObjectSecurity/Promia. “SOA IA Demonstrator: Information Assurance (IA) for Serviec Oriented Architecture (SOA)”, demo video tutorial, 2011, http://www.youtube.com/watch?v= AH -0B4Zr_KlI

  21. [RiSL06] Ritter, T, R. Schreiner, U. Lang. “Integrating Security Policies via Container Portable Interceptors”,IEEE distributed systems online, (vol. 7, no. 7), art. no. 0607-o7001, 1541-4922, July 2006

    Google Scholar 

  22. Saltzer, Jerome H. (1974). “Protection and the control of information sharing in multics”. Communications of the ACM 17 (7): 389. doi:10.1145/361011.361067. ISSN 00010782. (computer scientists Peter Denning and Roger Needham also contributed to the definition of least privilege).

    Google Scholar 

  23. Langford, J. SANS Institute InfoSec Reading Room. Implementing Least Privilege at your Enterprise. 2003 (http://www.sans.org/reading_room/whitepapers/bestprac/implementing-privilege-enterprise_1188)

  24. Wikipedia. Least Privilege. 2012. http://en.wikipedia.org/wiki/Principle_of_least_privilege)

Download references

Author information

Authors and Affiliations

  1. Plug & Play Tech Center, 530 University Ave, CA 94301, Palo Alto, USA

    Dr. Ulrich Lang

  2. St John’s Innovation Centre, Cowley Road, CB4 0WS, Cambridge, UK

    Rudolf Schreiner

Authors
  1. Dr. Ulrich Lang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Rudolf Schreiner
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ulrich Lang .

Editor information

Editors and Affiliations

  1. DuD Datenschutz und Datensicherung, TeleTrust Deutschland e.V., Eichendorffstr. 16, Erfurt, 99096, Thüringen, Germany

    Helmut Reimer

  2. Bornhoefferstr. 40a, Aachen, 52078, Germany

    Norbert Pohlmann

  3. Abraham-Lincoln-Str. 46, Wiesbaden, 65189, Germany

    Wolfgang Schneider

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer Fachmedien Wiesbaden

About this chapter

Cite this chapter

Lang, U., Schreiner, R. (2012). Implementing Least Privilege for Interconnected, Agile SOAs/Clouds. In: Reimer, H., Pohlmann, N., Schneider, W. (eds) ISSE 2012 Securing Electronic Business Processes. Springer Vieweg, Wiesbaden. https://doi.org/10.1007/978-3-658-00333-3_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-658-00333-3_10

  • Published:

  • Publisher Name: Springer Vieweg, Wiesbaden

  • Print ISBN: 978-3-658-00332-6

  • Online ISBN: 978-3-658-00333-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation